Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    48KB

  • Sample

    240422-jqez5shc31

  • MD5

    84390188f985b677d7791e1ac337b20b

  • SHA1

    6b03cc432e9db6e4e27570e96aac1ebd7a87416a

  • SHA256

    a13b433519a5f4ec9fb2338575371222bdf7147dcb96f31954167733ab3d7c0d

  • SHA512

    406a2c386613cc1411ed83cf6b1341543a079e7cc2f83f4f3c5d638fa0103146f444b0849b7981779970084ba44683f2128e7357ce9d45b2a1e85738a0736c86

  • SSDEEP

    768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67lhPC:Ub1MsHz3JDwhyWr+N95OTga6O

Score
10/10
runningratpersistencerat

Malware Config

Targets

    • Target

      tmp

    • Size

      48KB

    • MD5

      84390188f985b677d7791e1ac337b20b

    • SHA1

      6b03cc432e9db6e4e27570e96aac1ebd7a87416a

    • SHA256

      a13b433519a5f4ec9fb2338575371222bdf7147dcb96f31954167733ab3d7c0d

    • SHA512

      406a2c386613cc1411ed83cf6b1341543a079e7cc2f83f4f3c5d638fa0103146f444b0849b7981779970084ba44683f2128e7357ce9d45b2a1e85738a0736c86

    • SSDEEP

      768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67lhPC:Ub1MsHz3JDwhyWr+N95OTga6O

    Score
    10/10
    runningratpersistencerat

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

      ratrunningrat

    • Sets DLL path for service in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Creates a Windows Service

      persistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks