MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ca0de5b060df94714b3defd24f99d53e63414abdee90e113647b77ed3ea9036. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RunningRAT

Vendor detections: 14

Intelligence 14 IOCs YARA 8 File information Comments

SHA256 hash:	9ca0de5b060df94714b3defd24f99d53e63414abdee90e113647b77ed3ea9036
SHA3-384 hash:	de524cb461f4f1470f193239db428e80d02aba2cd1d7da39476c5613523c534d3e77814b8143119f3fde2bb9e42da4dd
SHA1 hash:	01a43562db3eb021aa4531c2e292fa92414cff0c
MD5 hash:	026d6396aafd4e1706c5ec311de66487
humanhash:	aspen-nebraska-finch-coffee
File name:	026d6396aafd4e1706c5ec311de66487.exe
Download:	download sample
Signature	RunningRAT Create hunting rule
File size:	114'688 bytes
First seen:	2021-10-25 07:32:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7e3107c64f6a7a76d8463e3f374f74af (17 x RunningRAT)
ssdeep	1536:vqEA70HzLJksPEOajozLElnqiO27dJ/tHi:vXTLJkQ7zAV3HtC
Threatray	34 similar samples on MalwareBazaar
TLSH	T180B3F542A3E02412E1AF3B74597513364A7D3C795F2582EFF2D5C58E1879AE0AEB070B
File icon (PE):
dhash icon	5c1ca8ace458e832 (5 x RunningRAT, 1 x CoinMiner)
Reporter	abuse_ch
Tags:	exe RAT RunningRAT

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RunningRAT

Link:

https://www.capesandbox.com/analysis/199803/

Detection(s):

Win.Dropper.Gh0stRAT-6997745-0

Win.Dropper.Gh0stRAT-7752666-0

Win.Dropper.Gh0stRAT-9816562-0

ditekSHen.MALWARE.Win.Trojan.RunningRAT.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows subdirectories

Creating a service

Launching a service

Launching a process

Running batch commands

Creating a process with a hidden window

Connection attempt to an infection source

Enabling autorun for a service

Query of malicious DNS domain

Deleting of the original file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

golddragon rat zxshell

Link:

https://www.filescan.io/uploads/6176a314a9d585e6d53717e4/reports/2f944018-22a0-4806-b983-3ce84093139b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

KuaiGoMiner

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50416c9a-0b8d-478c-adb2-e49d6f391c1b

Result

Threat name:

RunningRAT

Detection:

malicious

Classification:

bank.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/876048

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Checks if browser processes are running

Creates a Windows Service pointing to an executable in C:\Windows

DLL side loading technique detected

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Self deletion via cmd delete

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Yara detected RunningRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ca0de5b060df94714b3defd24f99d53e63414abdee90e113647b77ed3ea9036/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2021-10-24 20:44:00 UTC

AV detection:

26 of 27 (96.30%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tsqn4wygbx4uofft336sj6m5kptdiffl33uq4ejwi63x5u7ksa3a._file

Verdict:

malicious

RunningRAT

04c0fe1b4636ab427121415818fbffc371dacd7872325b18b763e1bc7ec4488a

RunningRAT

3f201f2578b5c9ce1a2d0deb31f79409b8da7e4c4c993e047f9c683b27783d25

RunningRAT

435a836a250603d3014f794b7123a5ed21d5481a4a86c10d669e8b1f71e9f113

RunningRAT

4c580d69b3340f544a71a42bf228f7f6bccfe976dee82c13a957925e88bf71dd

RunningRAT

63b82192d565071ff6ce7bbbf950a6c4dac6f5dbbf58c68f4679cb6efef28a94

RunningRAT

9b1367b0da26125af6946a108e9e657c373ad4e25be8e9a9eaa3a29adf6c95d9

RunningRAT

a27c3c08c44a620f56ea19c17df3151e7a3cc59630732087f79e93bcd567085f

RunningRAT

b82c510a4e89d91316acab7f61ea599a4ee4ef7ccde2ed71cd46fa9875c0639c

RunningRAT

ef03a58568ec094636fe33261e1fafbb6aa77125be68c3615da4823abba198d8

RunningRAT

+ 24 additional samples on MalwareBazaar

Result

Malware family:

xmrig

Score:

10/10

Tags:

family:runningrat family:xmrig miner persistence

Link:

https://tria.ge/reports/211025-jerjssfge2/

Behaviour

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Creates a Windows Service

Drops file in System32 directory

Deletes itself

Loads dropped DLL

Executes dropped EXE

Sets DLL path for service in the registry

xmrig

Unpacked files

SH256 hash:

9ca0de5b060df94714b3defd24f99d53e63414abdee90e113647b77ed3ea9036

MD5 hash:

026d6396aafd4e1706c5ec311de66487

SHA1 hash:

01a43562db3eb021aa4531c2e292fa92414cff0c

Detections:

win_runningrat_w0

Link:

https://www.unpac.me/results/2c5ec479-142e-40bb-8c27-489150bce116/

Malware family:

Gold Dragon

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/9ca0de5b060d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9ca0de5b060df94714b3defd24f99d53e63414abdee90e113647b77ed3ea9036

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoldDragon_RunningRAT Create hunting rule
Author:	Florian Roth
Description:	Detects Running RAT from Gold Dragon report
Reference:	https://goo.gl/rW1yvZ

Rule name:	GoldDragon_RunningRAT_RID2F19 Create hunting rule
Author:	Florian Roth
Description:	Detects Running RAT from Gold Dragon report
Reference:	https://goo.gl/rW1yvZ

Rule name:	MALWARE_Win_RunningRAT Create hunting rule
Author:	ditekSHen
Description:	Detects RunningRAT

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	win_runningrat_w0 Create hunting rule
Author:	Florian Roth

Rule name:	ZxShell_Related_Malware_CN_Group_Jul17_1 Create hunting rule
Author:	Florian Roth
Description:	Detects a ZxShell related sample from a CN threat group
Reference:	https://blogs.rsa.com/cat-phishing/

Rule name:	ZxShell_Related_Malware_CN_Group_Jul17_1_RID3601 Create hunting rule
Author:	Florian Roth
Description:	Detects a ZxShell related sample from a CN threat group
Reference:	https://blogs.rsa.com/cat-phishing/