MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31d5bcd2e4ecd330a56fbef1826e7201532311c9a57ee44352a746ea8271a778. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RunningRAT

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	31d5bcd2e4ecd330a56fbef1826e7201532311c9a57ee44352a746ea8271a778
SHA3-384 hash:	c52ea82da96c39be1926a6093a984726388014c67ac23308143b42619e402f9e9d6b2137dac14345cbc3171e50da065c
SHA1 hash:	346102549e0c1f9604266f8bda9f2fbd9ddf216b
MD5 hash:	fbbc4c6ce85624e7c35ce3f5ca988bbe
humanhash:	idaho-bravo-steak-lake
File name:	th520.exe
Download:	download sample
Signature	RunningRAT Create hunting rule
File size:	98'304 bytes
First seen:	2021-02-11 08:49:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	50ee0a510a032f54032460b8b36127a0 (1 x RunningRAT)
ssdeep	1536:Jgtv4HxETPkgcky/Vht7ILmkAP303pzJuhyicgcqd33+9fX+:uv4HWT3yCfBZfucU3sf+
Threatray	13 similar samples on MalwareBazaar
TLSH	52A37D01F7F7E093E3A7A735587D16354528BED1AAA1869F9392E90D4930F406E2433F
Reporter	r3dbU7z
Tags:	exe RunningRAT

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

th520.exe

Verdict:

Malicious activity

Analysis date:

2021-02-11 08:50:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/dacd2ff1-4d1a-4703-b59e-db0b536057dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/116718/

Detection(s):

Win.Dropper.Gh0stRAT-7440819-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a service

Launching a service

Launching a process

Creating a file in the Windows subdirectories

Sending a UDP request

Creating a process from a recently created file

Connection attempt

Enabling autorun for a service

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

RunningRAT

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/605520

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes security center settings (notifications, updates, antivirus, firewall)

Checks if browser processes are running

DLL side loading technique detected

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Yara detected RunningRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/31d5bcd2e4ecd330a56fbef1826e7201532311c9a57ee44352a746ea8271a778/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2018-11-09 03:05:43 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ghk3zuxe5tjtbjlpx3yye3tsafjsgeojuv7oiq2su5dovatru54a._file

Verdict:

malicious

RunningRAT

238057ab39a12934ed501e0c9b1a895a7e80c40db43f5f5787edc088997d773d

RunningRAT

2addf0687e15d5da150548c7dd1d27bd3138b8ed464e0fe8cc6d091e34842ed3

RunningRAT

5e5f8efd6ced3f58cc5212b0f68a8badb9419b87a99fa1683ecc2f49e5103c1d

RunningRAT

695dbd8c8d80719168bb3987b62fa5348f480ce00f4afbe54efae3a647fc2552

RunningRAT

800c26a3e7cd6b65e7221e0e493d9e5ac6c7fd8319355a8be31ad59ed1843534

RunningRAT

97a6d37991a271facf6254ac7e4f4072bb3718cdc01c2fc8d92e3953a3f8b453

RunningRAT

b0e5fe8c3639e8e3777da2130157bb13b2ee8c99bd4929ed2d245e49ccee19c4

RunningRAT

bda9ac7c976d4077921a53b7b178aa402254d9e1e81a3eb7a5cc462982df9f0e

RunningRAT

d05821af6ec028f7f37738d83f4628e7dfbee77f7603478a5c13da68744794d9

RunningRAT

+ 3 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/210211-b3vr83s2n2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in System32 directory

Loads dropped DLL

Executes dropped EXE

Sets DLL path for service in the registry

Unpacked files

SH256 hash:

31d5bcd2e4ecd330a56fbef1826e7201532311c9a57ee44352a746ea8271a778

MD5 hash:

fbbc4c6ce85624e7c35ce3f5ca988bbe

SHA1 hash:

346102549e0c1f9604266f8bda9f2fbd9ddf216b

Detections:

win_runningrat_w0

Link:

https://www.unpac.me/results/56d63d75-f5b8-4567-abfd-e4c14a7ffa21/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farfli

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/31d5bcd2e4ecd330a56fbef1826e7201532311c9a57ee44352a746ea8271a778

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoldDragon_RunningRAT Create hunting rule
Author:	Florian Roth
Description:	Detects Running RAT from Gold Dragon report
Reference:	https://goo.gl/rW1yvZ

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	win_runningrat_w0 Create hunting rule
Author:	Florian Roth

Rule name:	ZxShell_Related_Malware_CN_Group_Jul17_1 Create hunting rule
Author:	Florian Roth
Description:	Detects a ZxShell related sample from a CN threat group
Reference:	https://blogs.rsa.com/cat-phishing/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/116718/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample