SYMBOLCOMMON_NAMEaka. SYNONYMS
win.runningrat (Back to overview)

Running RAT

aka: running_rat
VTCollection    

NJCCIC characterizes RunningRAT as a remote access trojan (RAT) that operates using two DLL files. When the trojan is loaded onto a system, it executes the first DLL. This is used to disable anti-malware solutions, unpack and execute the main RAT DLL, and gain persistence. The trojan installs a Windows batch file dx.bat that attempts to kill the daumcleaner.exe task, a Korean security program. The file then attempts to remove itself. Once the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server to change the address the trojan communicates with. The second DLL gathers information about the victim's system, including its operating system and driver and processor information. The RAT can log user keystrokes, copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and more. The second DLL also uses several anti-bugging techniques.

References
2024-11-05Hunt.ioHunt.io
RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit
Running RAT
2018-02-02McAfeeRyan Sherstobitoff
Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems
Running RAT
Yara Rules
[TLP:WHITE] win_runningrat_auto (20260504 | Detects win.runningrat.)
rule win_runningrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.runningrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 56 ff15???????? 8b8c2418010000 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8b8c2418010000       | mov                 ecx, dword ptr [esp + 0x118]

        $sequence_1 = { e8???????? 8a4c2420 6a18 c744241c00000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8a4c2420             | mov                 cl, byte ptr [esp + 0x20]
            //   6a18                 | push                0x18
            //   c744241c00000000     | mov                 dword ptr [esp + 0x1c], 0

        $sequence_2 = { e8???????? 85c0 7402 b301 8d4c240c e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4
            //   b301                 | mov                 bl, 1
            //   8d4c240c             | lea                 ecx, [esp + 0xc]
            //   e8????????           |                     

        $sequence_3 = { 68???????? 68???????? ffd3 8b2d???????? 50 ffd5 68???????? }
            // n = 7, score = 100
            //   68????????           |                     
            //   68????????           |                     
            //   ffd3                 | call                ebx
            //   8b2d????????         |                     
            //   50                   | push                eax
            //   ffd5                 | call                ebp
            //   68????????           |                     

        $sequence_4 = { eb08 2bd1 8bc2 89542420 }
            // n = 4, score = 100
            //   eb08                 | jmp                 0xa
            //   2bd1                 | sub                 edx, ecx
            //   8bc2                 | mov                 eax, edx
            //   89542420             | mov                 dword ptr [esp + 0x20], edx

        $sequence_5 = { a1???????? 33c4 89842464040000 53 56 }
            // n = 5, score = 100
            //   a1????????           |                     
            //   33c4                 | xor                 eax, esp
            //   89842464040000       | mov                 dword ptr [esp + 0x464], eax
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_6 = { 85c0 7559 8b442418 8b4c2430 40 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   7559                 | jne                 0x5b
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   8b4c2430             | mov                 ecx, dword ptr [esp + 0x30]
            //   40                   | inc                 eax

        $sequence_7 = { 56 8bf1 8b4e34 8b6e1c 57 8bf8 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   8b4e34               | mov                 ecx, dword ptr [esi + 0x34]
            //   8b6e1c               | mov                 ebp, dword ptr [esi + 0x1c]
            //   57                   | push                edi
            //   8bf8                 | mov                 edi, eax

        $sequence_8 = { b914000000 e8???????? 8b54241c 8bf0 8b442418 b914000000 }
            // n = 6, score = 100
            //   b914000000           | mov                 ecx, 0x14
            //   e8????????           |                     
            //   8b54241c             | mov                 edx, dword ptr [esp + 0x1c]
            //   8bf0                 | mov                 esi, eax
            //   8b442418             | mov                 eax, dword ptr [esp + 0x18]
            //   b914000000           | mov                 ecx, 0x14

        $sequence_9 = { 8b542424 3902 0f84e2000000 8b4c2434 8b542430 56 }
            // n = 6, score = 100
            //   8b542424             | mov                 edx, dword ptr [esp + 0x24]
            //   3902                 | cmp                 dword ptr [edx], eax
            //   0f84e2000000         | je                  0xe8
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8b542430             | mov                 edx, dword ptr [esp + 0x30]
            //   56                   | push                esi

        $sequence_10 = { 81c4f8020000 c20400 8b35???????? 6800000100 6a40 ffd6 8bd8 }
            // n = 7, score = 100
            //   81c4f8020000         | add                 esp, 0x2f8
            //   c20400               | ret                 4
            //   8b35????????         |                     
            //   6800000100           | push                0x10000
            //   6a40                 | push                0x40
            //   ffd6                 | call                esi
            //   8bd8                 | mov                 ebx, eax

        $sequence_11 = { 33c0 5b c3 b8feffffff }
            // n = 4, score = 100
            //   33c0                 | xor                 eax, eax
            //   5b                   | pop                 ebx
            //   c3                   | ret                 
            //   b8feffffff           | mov                 eax, 0xfffffffe

        $sequence_12 = { e8???????? 8d44241c 83c40c 48 8d4900 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   8d44241c             | lea                 eax, [esp + 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   48                   | dec                 eax
            //   8d4900               | lea                 ecx, [ecx]

        $sequence_13 = { 8b442424 c70100000000 8b4c2428 57 c70200000000 }
            // n = 5, score = 100
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   8b4c2428             | mov                 ecx, dword ptr [esp + 0x28]
            //   57                   | push                edi
            //   c70200000000         | mov                 dword ptr [edx], 0

        $sequence_14 = { d3e8 2be9 8b4e0c 89442414 8b4608 891481 ff4608 }
            // n = 7, score = 100
            //   d3e8                 | shr                 eax, cl
            //   2be9                 | sub                 ebp, ecx
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   89442414             | mov                 dword ptr [esp + 0x14], eax
            //   8b4608               | mov                 eax, dword ptr [esi + 8]
            //   891481               | mov                 dword ptr [ecx + eax*4], edx
            //   ff4608               | inc                 dword ptr [esi + 8]

    condition:
        7 of them and filesize < 275456
}
[TLP:WHITE] win_runningrat_w0   (20180301 | No description)
import "pe"

rule win_runningrat_w0 {
	meta:
		author = "Florian Roth"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat"
        malpedia_version = "20180301"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $x1 = "C:\\USERS\\WIN7_x64\\result.log" fullword wide
        $x2 = "rundll32.exe %s RunningRat" fullword ascii
        $x3 = "SystemRat.dll" fullword ascii
        $x4 = "rundll32.exe %s ExportFunction" fullword ascii
        $x5 = "rundll32.exe \"%s\" RunningRat" fullword ascii
        $x6 = "ixeorat.bin" fullword ascii
        $x7 = "C:\\USERS\\Public\\result.log" fullword ascii

        $a1 = "emanybtsohteg" fullword ascii /* reversed goodware string 'gethostbyname' */
        $a2 = "tekcosesolc" fullword ascii /* reversed goodware string 'closesocket' */
        $a3 = "emankcosteg" fullword ascii /* reversed goodware string 'getsockname' */
        $a4 = "emantsohteg" fullword ascii /* reversed goodware string 'gethostname' */
        $a5 = "tpokcostes" fullword ascii /* reversed goodware string 'setsockopt' */
        $a6 = "putratSASW" fullword ascii /* reversed goodware string 'WSAStartup' */

        $s1 = "ParentDll.dll" fullword ascii
        $s2 = "MR - Already Existed" fullword ascii
        $s3 = "MR First Started, Registed OK!" fullword ascii
        $s4 = "RM-M : LoadResource OK!" fullword ascii
        $s5 = "D:\\result.log" fullword ascii
    condition:
        pe.imphash() == "c78ccc8f02286648c4373d3bf03efc43" or
        pe.exports("RunningRat") or
        1 of ($x*) or
        5 of ($a*) or
        3 of ($s*)
}
Download all Yara Rules