General

  • Target

    a2d7a570dc6b46bed057743394b59577.exe

  • Size

    48KB

  • Sample

    241017-pp2qea1cll

  • MD5

    a2d7a570dc6b46bed057743394b59577

  • SHA1

    4288fb43166954fc551b502585e481f629f89e91

  • SHA256

    96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135

  • SHA512

    fee4d1bed29187e0298d4b19550827a313e1d1515f742fc8fe52b5dc82cf06bf3915b9e4a00c43d672f2e7b3b146fd1887737446ee9b3e11253967879ddc4898

  • SSDEEP

    768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67RhPC:Ub1MsHz3JDwhyWr+N95OTga6S

Malware Config

Extracted

Family

runningrat

C2

119.91.152.151

Targets

    • Target

      a2d7a570dc6b46bed057743394b59577.exe

    • Size

      48KB

    • MD5

      a2d7a570dc6b46bed057743394b59577

    • SHA1

      4288fb43166954fc551b502585e481f629f89e91

    • SHA256

      96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135

    • SHA512

      fee4d1bed29187e0298d4b19550827a313e1d1515f742fc8fe52b5dc82cf06bf3915b9e4a00c43d672f2e7b3b146fd1887737446ee9b3e11253967879ddc4898

    • SSDEEP

      768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67RhPC:Ub1MsHz3JDwhyWr+N95OTga6S

    • RunningRat

      RunningRat is a remote access trojan first seen in 2018.

    • Server Software Component: Terminal Services DLL

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Creates a Windows Service

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks