Running RAT (Malware Family)

Running RAT

aka: running_rat

VTCollection

NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.

References

2018-02-02 ⋅ McAfee ⋅ Ryan Sherstobitoff
Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems
Running RAT

Yara Rules

[TLP:WHITE] win_runningrat_auto (20230808 | Detects win.runningrat.)

rule win_runningrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.runningrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 56 ff15???????? 8b8c2418010000 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b8c2418010000       | mov                 ecx, dword ptr [esp + 0x118]

        $sequence_1 = { 8b4904 56 8b742410 56 8d542414 50 }
            // n = 6, score = 200
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   56                   | push                esi
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   56                   | push                esi
            //   8d542414             | lea                 edx, [esp + 0x14]
            //   50                   | push                eax

        $sequence_2 = { 85c0 7404 50 ff5650 8b5660 }
            // n = 5, score = 200
            //   85c0                 | test                eax, eax
            //   7404                 | je                  6
            //   50                   | push                eax
            //   ff5650               | call                dword ptr [esi + 0x50]
            //   8b5660               | mov                 edx, dword ptr [esi + 0x60]

        $sequence_3 = { 8988100b0000 8d88740a0000 8988280b0000 33c9 c780180b000080cd0110 89901c0b0000 c780240b000098cd0110 }
            // n = 7, score = 200
            //   8988100b0000         | mov                 dword ptr [eax + 0xb10], ecx
            //   8d88740a0000         | lea                 ecx, [eax + 0xa74]
            //   8988280b0000         | mov                 dword ptr [eax + 0xb28], ecx
            //   33c9                 | xor                 ecx, ecx
            //   c780180b000080cd0110     | mov    dword ptr [eax + 0xb18], 0x1001cd80
            //   89901c0b0000         | mov                 dword ptr [eax + 0xb1c], edx
            //   c780240b000098cd0110     | mov    dword ptr [eax + 0xb24], 0x1001cd98

        $sequence_4 = { 894554 89542428 b910000000 33c0 8d7c2438 }
            // n = 5, score = 200
            //   894554               | mov                 dword ptr [ebp + 0x54], eax
            //   89542428             | mov                 dword ptr [esp + 0x28], edx
            //   b910000000           | mov                 ecx, 0x10
            //   33c0                 | xor                 eax, eax
            //   8d7c2438             | lea                 edi, [esp + 0x38]

        $sequence_5 = { 8d442440 c1e902 f3a5 8bca 50 83e103 }
            // n = 6, score = 200
            //   8d442440             | lea                 eax, [esp + 0x40]
            //   c1e902               | shr                 ecx, 2
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   8bca                 | mov                 ecx, edx
            //   50                   | push                eax
            //   83e103               | and                 ecx, 3

        $sequence_6 = { 5d 33c0 5b 81c4f8020000 c20400 8b35???????? 6800000100 }
            // n = 7, score = 200
            //   5d                   | pop                 ebp
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   81c4f8020000         | add                 esp, 0x2f8
            //   c20400               | ret                 4
            //   8b35????????         |                     
            //   6800000100           | push                0x10000

        $sequence_7 = { c7462400000000 83c610 6a00 56 ff15???????? 5e }
            // n = 6, score = 200
            //   c7462400000000       | mov                 dword ptr [esi + 0x24], 0
            //   83c610               | add                 esi, 0x10
            //   6a00                 | push                0
            //   56                   | push                esi
            //   ff15????????         |                     
            //   5e                   | pop                 esi

        $sequence_8 = { 7cd9 8bf2 8b8e80000000 b8cdcccccc f7a684000000 c1ea04 }
            // n = 6, score = 100
            //   7cd9                 | jl                  0xffffffdb
            //   8bf2                 | mov                 esi, edx
            //   8b8e80000000         | mov                 ecx, dword ptr [esi + 0x80]
            //   b8cdcccccc           | mov                 eax, 0xcccccccd
            //   f7a684000000         | mul                 dword ptr [esi + 0x84]
            //   c1ea04               | shr                 edx, 4

        $sequence_9 = { 83c404 395630 740d 8b542418 }
            // n = 4, score = 100
            //   83c404               | add                 esp, 4
            //   395630               | cmp                 dword ptr [esi + 0x30], edx
            //   740d                 | je                  0xf
            //   8b542418             | mov                 edx, dword ptr [esp + 0x18]

        $sequence_10 = { 8d942410010000 52 6a00 6a00 }
            // n = 4, score = 100
            //   8d942410010000       | lea                 edx, [esp + 0x110]
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_11 = { 8d842432020000 6a00 50 c684242c02000046 }
            // n = 4, score = 100
            //   8d842432020000       | lea                 eax, [esp + 0x232]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   c684242c02000046     | mov                 byte ptr [esp + 0x22c], 0x46

        $sequence_12 = { 83ea01 898c3c90000000 75ed 8bd3 33ff 8d4900 }
            // n = 6, score = 100
            //   83ea01               | sub                 edx, 1
            //   898c3c90000000       | mov                 dword ptr [esp + edi + 0x90], ecx
            //   75ed                 | jne                 0xffffffef
            //   8bd3                 | mov                 edx, ebx
            //   33ff                 | xor                 edi, edi
            //   8d4900               | lea                 ecx, [ecx]

        $sequence_13 = { 8b742424 e9???????? 6803010000 8d442431 6a00 50 }
            // n = 6, score = 100
            //   8b742424             | mov                 esi, dword ptr [esp + 0x24]
            //   e9????????           |                     
            //   6803010000           | push                0x103
            //   8d442431             | lea                 eax, [esp + 0x31]
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_14 = { 33c0 e8???????? 81c468040000 c3 3b0d???????? 7502 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   81c468040000         | add                 esp, 0x468
            //   c3                   | ret                 
            //   3b0d????????         |                     
            //   7502                 | jne                 4

    condition:
        7 of them and filesize < 278528
}

[TLP:WHITE] win_runningrat_w0 (20180301 | No description)

import "pe"

rule win_runningrat_w0 {
	meta:
		author = "Florian Roth"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "C:\\USERS\\WIN7_x64\\result.log" fullword wide
        $x2 = "rundll32.exe %s RunningRat" fullword ascii
        $x3 = "SystemRat.dll" fullword ascii
        $x4 = "rundll32.exe %s ExportFunction" fullword ascii
        $x5 = "rundll32.exe \"%s\" RunningRat" fullword ascii
        $x6 = "ixeorat.bin" fullword ascii
        $x7 = "C:\\USERS\\Public\\result.log" fullword ascii

        $a1 = "emanybtsohteg" fullword ascii /* reversed goodware string 'gethostbyname' */
        $a2 = "tekcosesolc" fullword ascii /* reversed goodware string 'closesocket' */
        $a3 = "emankcosteg" fullword ascii /* reversed goodware string 'getsockname' */
        $a4 = "emantsohteg" fullword ascii /* reversed goodware string 'gethostname' */
        $a5 = "tpokcostes" fullword ascii /* reversed goodware string 'setsockopt' */
        $a6 = "putratSASW" fullword ascii /* reversed goodware string 'WSAStartup' */

        $s1 = "ParentDll.dll" fullword ascii
        $s2 = "MR - Already Existed" fullword ascii
        $s3 = "MR First Started, Registed OK!" fullword ascii
        $s4 = "RM-M : LoadResource OK!" fullword ascii
        $s5 = "D:\\result.log" fullword ascii
    condition:
        pe.imphash() == "c78ccc8f02286648c4373d3bf03efc43" or
        pe.exports("RunningRat") or
        1 of ($x*) or
        5 of ($a*) or
        3 of ($s*)
}

Download all Yara Rules

Running RAT Propose Change

References

Yara Rules

Running RAT