MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RunningRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c
SHA3-384 hash: 13f7d85f1aedee64c61a85fdb01808a5a74893827e8747e167758549237a25a6b307f6ebd2b5b721d90068bbceb305d7
SHA1 hash: d92c92fe190de3e2eacbe2c7ca0c379af8e06ec4
MD5 hash: 2e0699c149b6e8f5052c9ca681b31483
humanhash: river-bacon-indigo-seventeen
File name:2e0699c149b6e8f5052c9ca681b31483.exe
Download: download sample
Signature RunningRAT
Create hunting rule
File size:33'280 bytes
First seen:2023-01-16 09:36:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d2b95b998469ac775106242f347c0e1 (4 x RunningRAT, 4 x CoinMiner)
ssdeep 768:1w/iOWTK3JWhOM/qZh7UJGcZ/VN0BlXGnbcuyD7Urs9:WQK52fqZSIA9olXGnouy8rs9
Threatray 19'006 similar samples on MalwareBazaar
TLSH T1A2E2D098E2FD6988D3B90A39DD53770D2812E8266686873F6F80312EAD737287C74125
TrID 52.7% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
4.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe RunningRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e0699c149b6e8f5052c9ca681b31483.exe
Verdict:
Suspicious activity
Analysis date:
2023-01-16 09:49:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b1b9f58-7440-4899-b73f-8c07d835f28c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RunningRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/353356/
Detection(s):
Win.Malware.Siscos-6993581-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Launching a process
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Sending a custom TCP request
Enabling autorun for a service
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63c51abefdb747329962c15e/reports/d07392a5-d08d-416e-8049-bceacfa9ebd8/overview
Malware family:
Indexsinas
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b0aa108-c196-42fb-8c59-61f468defe7c
Result
Threat name:
Gh0stCringe
Create hunting rule
Detection:
malicious
Classification:
bank.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1152263
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Checks if browser processes are running
Creates a Windows Service pointing to an executable in C:\Windows
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Gh0stCringe
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784996 Sample: QdRsIGxEq1.exe Startdate: 16/01/2023 Architecture: WINDOWS Score: 100 34 Multi AV Scanner detection for domain / URL 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for dropped file 2->38 40 6 other signatures 2->40 7 QdRsIGxEq1.exe 5 2 2->7         started        11 svchost.exe 1 2->11         started        13 svchost.exe 2->13         started        process3 file4 26 C:\Windows\SysWOW64\6428046.dll, PE32 7->26 dropped 42 Found evasive API chain (may stop execution after checking mutex) 7->42 44 Self deletion via cmd or bat file 7->44 46 Creates a Windows Service pointing to an executable in C:\Windows 7->46 15 cmd.exe 1 7->15         started        28 C:\Windows\SysWOW64\serivecs.exe, PE32 11->28 dropped 48 Drops executables to the windows directory (C:\Windows) and starts them 11->48 50 DLL side loading technique detected 11->50 18 serivecs.exe 11->18         started        52 Checks if browser processes are running 13->52 signatures5 process6 dnsIp7 54 Uses ping.exe to sleep 15->54 56 Uses ping.exe to check the status of other devices and networks 15->56 21 PING.EXE 1 15->21         started        24 conhost.exe 15->24         started        30 sky.hobuff.info 222.92.77.166, 7709 CHINANET-BACKBONENo31Jin-rongStreetCN China 18->30 signatures8 process9 dnsIp10 32 127.0.0.1 unknown unknown 21->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c/
Threat name:
Win32.Trojan.Siscos
Create hunting rule
Status:
Malicious
First seen:
2023-01-15 18:57:03 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=omewneh7zhnntx4gr6uuamdap5bwdp442ttkb57jidmgs3lvr5ga._file
Verdict:
malicious
Similar samples:
1b308f3ba72629c2283b9d7cbdef4b0cceb06801187413ea7a54d4ddcbb3dceb
RunningRAT
4414a9ba25d52ac38509ccf072d32e4f938990e3b02ca3c2d11fbd5cba433ab4
RunningRAT
566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b
RunningRAT
7921b8b3f75dd87bb3bc280b02f51e455c7763c603825960ce4e6c521878ccc5
RunningRAT
8b520ce0de0ae8276e9c19053cae465454c94c963834166cfe5b2eb43f6050e4
RunningRAT
908b275d6fc2f20e9d04e8609a9d994f7e88a429c3eb0a55d99ca1c681e17ec8
RunningRAT
925b2a6cffe8f4835e1fd4db52b33a863adc953be537638be28462c82389e9e0
RunningRAT
b9381a3fe7374fd6c6d18dbbce3abddd9a3e9e55ec0960118d406ca922d7da42
RunningRAT
c85eab78147f680f396925b005564604d84bcff97fec4bfb27e13071e791d985
RunningRAT
+ 18'996 additional samples on MalwareBazaar
Result
Malware family:
runningrat
Create hunting rule
Score:
  10/10
Tags:
family:gh0strat family:runningrat persistence rat upx
Link:
https://tria.ge/reports/230116-llgpaada87/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Creates a Windows Service
Drops file in System32 directory
Checks computer location settings
Deletes itself
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
UPX packed file
Gh0st RAT payload
Gh0strat
RunningRat
RunningRat payload
Unpacked files
SH256 hash:
7faf403b9748cdc9b8f8aba98a64567fcd9c5ad490bcc31a0b6cce978003e754
MD5 hash:
67471f9e74ce07e6de4be37cd6fadf51
SHA1 hash:
57cf550e19df2e8c04a71e712be4dcf58a17faef
Detections:
win_younglotus_g0
Create hunting rule
Link:
https://www.unpac.me/results/55727dd0-ee23-4651-b155-99092251b3ee/
SH256 hash:
74d6079437e6a67a8afe00f07b64286e16b52d1523d6a8684a2fa74e9e9e7e7d
MD5 hash:
8684aace2cdf6cdda84e2ac34d41b1e4
SHA1 hash:
d2d0c57dcb9650c1b928c6f4c920dba44b9f5d64
Detections:
win_runningrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/55727dd0-ee23-4651-b155-99092251b3ee/
SH256 hash:
73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c
MD5 hash:
2e0699c149b6e8f5052c9ca681b31483
SHA1 hash:
d92c92fe190de3e2eacbe2c7ca0c379af8e06ec4
Link:
https://www.unpac.me/results/55727dd0-ee23-4651-b155-99092251b3ee/
Malware family:
ZxShell
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73096690ffc9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RunningRAT

Executable exe 73096690ffc9dad9df868fa94030607f4361bf9cd4e6a0f7e940d8696d758f4c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/201704/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/111417/
Cape
Cape
https://www.capesandbox.com/analysis/353356/

Comments