{ "id": "497cde8c-2b5d-4e9a-9646-cda9d6c44ec2", "created_at": "2026-04-06T00:18:44.105397Z", "updated_at": "2026-04-10T13:11:20.530545Z", "deleted_at": null, "sha1_hash": "f2761c7025fccab32041fc020aacf6493a251fd5", "title": "RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8630818, "plain_text": "RunningRAT’s Next Move: From Remote Access to Crypto mining\r\nFor Profit\r\nPublished: 2024-11-05 · Archived: 2026-04-05 13:10:32 UTC\r\nTABLE OF CONTENTS\r\nRunningRAT OverviewRATs in the Open: Tracking RunningRAT's Presence in Public DirectoriesRAT's Nest:\r\nRunningRAT's C2 and Cryptocurrency Mining PayloadsConclusionNetwork ObservablesFile Observables\r\nThis post explores RunningRAT, a remote access trojan (RAT) recently found deploying crypto mining payloads.\r\nPreviously known for its remote access and information-stealing capabilities, RunningRAT's appearance in crypto\r\nmining suggests an expanded use case for this malware family. We examined its infrastructure, delivery tactics,\r\nand C2 techniques, focusing on how open directories are leveraged in these operations.\r\nSummary of Findings:\r\nDiscovery of a RunningRAT sample hosted in an accessible online repository, with evidence linking it to a\r\nsecond server containing crypto mining tools.\r\nAnalysis of malware communication with a separate VPS, suggesting coordinated infrastructure for staging\r\nand payload delivery.\r\nDetailed review of C2 techniques and infrastructure indicators, including identified IPs relevant for threat\r\nintelligence monitoring.\r\nRunningRAT Overview\r\nFirst observed in 2018, RunningRAT was part of a campaign targeting organizations linked to the Pyeongchang\r\nWinter Olympics. Deployed alongside other malware families, such as Gold Dragon and Brave Prince, it\r\nsupported attacks focused on data collection and persistent access within targeted networks.\r\nDesigned for stealthy system control and monitoring, RunningRAT consists of two DLLs: the first disables\r\nantimalware protections and executes the main DLL, while the second leverages in-memory anti-debugging\r\ntechniques. Once operational, it collects system information and transmits data to its command-and-control (C2)\r\nserver.\r\nHistorically, RunningRAT has functioned as an access and data-gathering tool, with minimal coverage in threat\r\nreports since McAfee's 2018 findings. Despite this, samples continue to be uploaded to repositories like Malware\r\nBazaar, indicating its ongoing use without drawing significant focus from security vendors.\r\nThis latest discovery suggests a potential shift in RunningRAT's operational use toward crypto mining, hinting at a\r\npossible new direction for the malware, albeit on a limited scale.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 1 of 11\n\nRATs in the Open: Tracking RunningRAT's Presence in Public Directories\r\nDuring routine threat hunting, our research team identified an open directory at IP address\r\n139.162.102[.]163:80 , hosted on the Akamai Connected Cloud ASN in Japan. The server hosted a handful of\r\nfiles: a sample of RunningRAT, named me.exe, and a PHP script named nnr.php.\r\nFigure 1: Screenshot of the open directory hosting the RunningRAT file. (Source: Hunt)\r\nme.exe (SHA-256: b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867 ) seemed to\r\nconfuse analysis engines greatly. Hatching Triage identified the file as RunningRAT, while VirusTotal produced\r\nvarious labels, including Winnti ZxShell, among others. The inconsistent classification likely contributes to its\r\nminimal visibility in public reporting.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 2 of 11\n\nFigure 2: VirusTotal detection results for me.exe (Source: VirusTotal)\r\nWondering what other open directories hosted a RunningRAT sample? Clicking the red button with the virus\r\nsymbol on the webpage in Figure 1 reveals a list of current and historical servers hosting the RAT.\r\nAs seen below, me.exe appears consistently across multiple directories, indicating a potential pattern in how\r\nadversaries deploy and maintain the malware.\r\nFigure 3: Historical RunningRAT samples in open directories (Source: Hunt).\r\nUpon execution, me.exe initiates a multi-step process resulting in three files being dropped into the System 32\r\ndirectory:\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 3 of 11\n\n1. NETSYSDDL.exe\r\nSHA-256: 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910\r\n2. 240634687.dll\r\nSHA-256: 152f1bf6b11eb2f8e0f31bce6853f7f9fa604164a429741ec0973f508f6520e1\r\n3. ini.ini\r\nSHA-256: db312628b3001d24ca2836ab065bed9573f65158a3b31d97f009f44110c4a4cb\r\nThe above files enable further execution steps, detailed in the process analysis below.\r\nInitial Execution\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\me.exe\r\nService Initialization and DLL Loading\r\nC:\\Windows\\SysWOW64\\svchost.exe -k \"NETSYSDDL\"\r\nDescription: The process spawns an instance of svchost.exe, running under the service group \"\r\nNETSYSDDL. \" This service group does not represent a standard Windows service name and likely\r\nrepresents a custom configuration created to mask the execution of malicious components under legitimate\r\nWindows processes.\r\nC:\\Windows\\SysWOW64\\NETSYSDDL.exe\r\nDescription: NETSYSDDL.exe is then launched from the SysWOW64 directory. This binary serves as a\r\nloader, executing the 240634687.dll file with the function call to \" MainThread. \" This indicates that\r\nNETSYSDDL.exe acts as a wrapper for the primary DLL payload.\r\nDLL Execution\r\nC:\\Windows\\System32\\NETSYSDDL.exe\r\n\"C:\\Windows\\System32\\240634687.dll\", MainThread\r\nDescription: NETSYSDDL.exe loads 240634687.dll from the System32 directory, initiating the \"\r\nMainThread \" function. This function executes the RAT's core operations, including data collection, C2\r\ncommunication, and persistence setup.\r\nThe configuration file ini.ini contains minimal information, with only the following entries:\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 4 of 11\n\nFigure 4: Screenshot displaying the contents of ini.ini.\r\nThe limited number of configuration fields suggests that ini.ini is a minimal setup file, possibly intended to\r\nestablish a basic configuration without revealing operational information.\r\nNetwork Communications\r\nme.exe initiates communication with the C2 server at 24.199.123[.]1 on TCP port 4000. This IP will be covered\r\nin more detail in the following section.\r\nAnalyzing the initial packet capture (PCAP) between me.exe and the C2, we observed a unique header and several\r\nstrings that provide insight into the malware's activity. The initial packet includes the header \"hx\" and a few\r\nambiguous strings whose purpose is unclear.\r\nAmong the more identifiable strings is a reference to \"4192MHz,\" likely indicating an 8-core CPU running at\r\n4.192 GHz. This suggests that the RAT may be profiling the hardware of the compromised machine to assess its\r\nprocessing capacity-an attribute consistent with the presence of crypto mining tools on the C2 server.\r\nAdditionally, the packet includes a timestamp and a string resembling a password or unique identifier: \"\r\nheybro123456 .\" This identifier may serve as an authentication token or session key, though its exact role requires\r\nfurther analysis.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 5 of 11\n\nFigure 5: Screenshot of the initial packet sent to the C2 by me.exe.\r\nRAT's Nest: RunningRAT's C2 and Cryptocurrency Mining Payloads\r\nThe command-and-control server associated with RunningRAT resolves to the domain host404111[.]xyz .\r\nHosted on a DigitalOcean VPS in the U.S., this IP has a few more interesting findings identified during our\r\nanalysis, which we'll detail below.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 6 of 11\n\nFigure 6: Overview of 24.199.123[.]1 (Source: Hunt).\r\nFurther investigation into this IP revealed another open directory hosted on an HTTP File Server (HFS) accessible\r\non port 1234.\r\nFigure 7: C2 at 24.199.123[.]1 and open directory containing multiple files.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 7 of 11\n\nSeveral files point to a clear intent to deploy cryptocurrency miners within the directory, specifically targeting\r\nMonero through the XMRig mining software. Among these files are two batch scripts: xmr-normal.bat and\r\nxmr-unban.bat .\r\nAnalysis of both files reveals them to be identical. However, the naming convention suggests that xmr-unban.bat\r\nmay be intended for situations where mining activity has been restricted or blocked, potentially re-enabling\r\naccess.\r\nWithin the batch files are a series of Windows CMD and PowerShell commands that attempt to remove any\r\ncompeting coinminers that might be present on the host. Following this, the scripts download xmrig.zip to the\r\ncompromised host, initiating the XMRig miner installation.\r\nFigure 8: Snippet of contents of xmr-unban.bat using PowerShell to install XMRig CoinMiner.\r\nAfter downloading xmrig.zip, the batch script decompresses the file using 7za.exe, a 7zip utility included in the\r\ndirectory. The folder's contents reveal an XMRig CoinMiner executable ( xmrig.exe ), a Windows driver file,\r\nand a configuration file. The batch script then follows a similar process for nssm.zip, which contains NSSM (Non-Sucking Service Manager), using it to register the miner as a service under the name \" c3pool_miner. \"\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 8 of 11\n\nFigure 9: Snippet of the configuration file found within the xmrig.zip archive.\r\nNo wallet addresses were found in the XMRig-related files analyzed.\r\nEarlier this year, AhnLab observed a threat actor, designated \"Mimo,\" using a similar approach to deploy\r\ncoinminers after exploiting known vulnerabilities such as Log4Shell. This method also involved batch scripts,\r\nPowerShell commands, and NSSM to set up and execute XMRig.\r\nkill.exe\r\nThe file kill.exe (SHA-256: c55a1c1e2d0623fd7c5b2224e2e5a7b6f053f997080fb4f3d37a37d1b9ce807a ) is a\r\nWindows executable created with PyInstaller. It retains its default icon, indicating the threat actor did not\r\ncustomize it to blend in with system files. Dynamic analysis results indicate that the EXE is intended to function\r\nas a spyware tool designed to scan the compromised device's file system for stored credentials from files and web\r\nbrowsers.\r\nUpon execution, an initial connection is made to api.ipify[.]org-likely to retrieve the public IP address of the\r\ncompromised host for attacker awareness. It then attempts to connect to the C2 server at 24.199.123[.]1 over TCP\r\nport 5000.\r\nAnalysis of the PCAP associated with this connection revealed limited data transmission, suggesting potential\r\nissues with the program's functionality. Testing within a different environment may yield a different outcome, or\r\nthe program may be configured to send credentials under specific conditions not met in our analysis.\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 9 of 11\n\nConclusion\r\nRunningRAT, initially identified in campaigns targeting the 2018 Pyeongchang Winter Olympics, continues to\r\nadapt beyond its original role in data collection and remote access. This post highlighted recent findings of its\r\ndeployment in public directories, its C2 infrastructure, and possible use in crypto mining-a shift that may signal an\r\ninterest in financial gain through compromised systems.\r\nWe examined how me.exe operates, from file execution to unique network communications with a C2 server that\r\nprofiles system resources for crypto mining suitability. RunningRAT's ongoing development demonstrates that\r\neven established malware can evolve in unexpected ways.\r\nRunningRAT illustrates that long-standing malware may still present significant risks, underscoring the\r\nimportance of monitoring for new uses of familiar tools.\r\nNetwork Observables\r\nIP Address\r\nHosting\r\nCountry\r\nASN Domain(s) Ports\r\n139.162.102[.]163 JP\r\nAkamai Connected\r\nCloud\r\nN/A\r\n80 - Open directory\r\n445\r\n3306\r\n3389\r\n24.199.123[.]1 US DigitalOcean, LLC host404111[.]xyz\r\n80\r\n1234 - Open\r\ndirectory\r\n4000\r\n5000\r\nFile Observables\r\nFilename SHA-256\r\nme.exe b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867\r\nkill.exe c55a1c1e2d0623fd7c5b2224e2e5a7b6f053f997080fb4f3d37a37d1b9ce807a\r\nxmrig.zip 27a823c06e68b5f32c2331ef89de4f1de1773f39449a3509b3f397c3c4376cad\r\nxmr-normal.bat e8d595834bb500f0bb3ad688fe7307e3a182229f3ef16a16549c9797cf1d8985\r\nxmr-unban.bat 175d861d8f1337df6a0aafb845c2b7967d0c1ecd8c230e345d75d557440f15e5\r\nconfig.json 54409f5edb22b2c84de1ff5e6a76dd4b34d5acde60a0777f16251ccf4849929f\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 10 of 11\n\nFilename SHA-256\r\nWinRing0x64.sys 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\r\nxmrig.exe b69bf007797fdfecc90c5511dde776dc6c18c48cddec2804753533dbee4af80d\r\nSource: https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nhttps://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining" ], "report_names": [ "runningrat-from-remote-access-to-crypto-mining" ], "threat_actors": [ { "id": "0409120f-2b1f-4edd-a696-75d312eb2890", "created_at": "2023-01-06T13:46:39.463928Z", "updated_at": "2026-04-10T02:00:03.337809Z", "deleted_at": null, "main_name": "Hezb", "aliases": [ "Mimo" ], "source_name": "MISPGALAXY:Hezb", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434724, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f2761c7025fccab32041fc020aacf6493a251fd5.pdf", "text": "https://archive.orkl.eu/f2761c7025fccab32041fc020aacf6493a251fd5.txt", "img": "https://archive.orkl.eu/f2761c7025fccab32041fc020aacf6493a251fd5.jpg" } }