Extracted

• • Target

    9eee88eb59ff0b7e6c24ec7e4b7529d1c7b44afd04e51f9df82afad3f9a31ebd

  • Size

    56KB

  • MD5

    1babe64eb90e5e610dfbb1f91deb1126

  • SHA1

    ee43d92c35e28748101f58c0d6632d7b70d0b5d0

  • SHA256

    9eee88eb59ff0b7e6c24ec7e4b7529d1c7b44afd04e51f9df82afad3f9a31ebd

  • SHA512

    b37d907ed044de24e4258978d876abf73c21f5fba6b36ee498af4eb79ae2b09f7ff8571a66477ff4cdb7f8471b99132c624ff286000310524734bc610e548708

  • SSDEEP

    768:Dr0atvvxN9tpdC7EezJ0d8hPUtrFRtFtg3NojiwvuccA4iiKahtAZchy:Dr0udk7ESuqhParNMKnFfiroZch

  Score

  10^/10

  runningratdiscoverypersistencerat

  • RunningRat

    RunningRat is a remote access trojan first seen in 2018.

    ratrunningrat

  • Runningrat family

    runningrat

  • Server Software Component: Terminal Services DLL

    persistence

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Executes dropped EXE

  • Loads dropped DLL

  • Creates a Windows Service

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2