Extracted

• • Target

    96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135.exe

  • Size

    48KB

  • MD5

    a2d7a570dc6b46bed057743394b59577

  • SHA1

    4288fb43166954fc551b502585e481f629f89e91

  • SHA256

    96bed5fdefc903bc41e0ffbe328e8ed6cb4c3261dd711b3e3e7b56df45d90135

  • SHA512

    fee4d1bed29187e0298d4b19550827a313e1d1515f742fc8fe52b5dc82cf06bf3915b9e4a00c43d672f2e7b3b146fd1887737446ee9b3e11253967879ddc4898

  • SSDEEP

    768:zynb12Aw5J6HC4kq5Jp9bjAzhyY55J+NStcEeUlyqgZl4p67RhPC:Ub1MsHz3JDwhyWr+N95OTga6S

  Score

  10^/10

  runningratdiscoverypersistencerat

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat

  • Server Software Component: Terminal Services DLL

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Creates a Windows Service

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2