Keypoints
- RunningRAT samples were found in publicly accessible open directories, enabling easy discovery and deployment.
- Recent activity shows a shift from remote access/data theft toward deploying cryptocurrency miners (XMRig) on compromised hosts.
- me.exe drops multiple components (NETSYSDDL.exe, 240634687.dll, ini.ini) and loads the main DLL via a custom service group.
- The malware communicates with C2 infrastructure at 24.199.123[.]1 (host404111[.]xyz) and profiles host hardware and session identifiers.
- Open C2 directories contain mining artifacts and scripts (xmrig.zip, xmr-normal.bat, xmr-unban.bat) that remove competitors, install XMRig, and register it as a service.
- Additional tooling (kill.exe) appears aimed at harvesting stored credentials and providing further access or reconnaissance.
- Findings underscore that legacy malware families can evolve toward financially motivated operations and require continuous monitoring.
MITRE Techniques
- [T1071] Command and Control – Uses multiple C2 endpoints and direct TCP connections to maintain contact with compromised systems (‘communicates with the C2 server at 24.199.123[.]1 on TCP port 4000’).
- [T1003] Credential Dumping – Attempts to locate and extract stored credentials from the host filesystem and browsers (‘scan the compromised device’s file system for stored credentials from files and web browsers’).
- [T1203] Exploitation for Client Execution / Execution – Loads and executes malicious DLLs to run the RAT’s main functionality (‘”MainThread” function’ executed by 240634687.dll to perform core operations).
- [T1547] Boot or Logon Autostart Execution (Persistence) – Establishes persistent execution and registers services for long‑term operation (‘register the miner as a service under the name “c3pool_miner.”‘).
- [T1190] Exploitation of Public-Facing Applications – Initial access and payload distribution leverage exposed services and known vulnerabilities (related activity: ‘exploiting known vulnerabilities such as Log4Shell’).
Indicators of Compromise
- [IP Address] Hosting and C2 context – 139.162.102[.]163 (open directory on Akamai, JP), 24.199.123[.]1 (DigitalOcean C2 / open directory, US)
- [Domain] C2 and enrichment – host404111[.]xyz (C2 domain hosted on 24.199.123[.]1), api.ipify[.]org (used to retrieve the host’s public IP)
- [File Hash] Sample hashes – b10884a495070c2f9ee183bbbb6d1b8f7351fc75d094f4bb212c38c859a6e867 (me.exe), c55a1c1e2d0623fd7c5b2224e2e5a7b6f053f997080fb4f3d37a37d1b9ce807a (kill.exe), and 6 more hashes
- [Filename] Payloads and scripts – me.exe (initial dropper), xmrig.exe (miner), xmr-normal.bat / xmr-unban.bat (installation scripts) and other supporting files (xmrig.zip, nssm.zip)
RunningRAT, long documented as a stealthy remote access trojan, has been found hosted in public open directories and repurposed to deploy cryptocurrency miners. The observed sample me.exe drops three primary files (NETSYSDDL.exe, 240634687.dll, ini.ini), uses a nonstandard service group to hide execution under svchost, and invokes the DLL’s MainThread to carry out data collection, C2 communication, and persistence tasks.
Network analysis shows direct connections to 24.199.123[.]1 (host404111[.]xyz), where an open HTTP File Server hosts xmrig.zip and supporting installers. Batch and PowerShell scripts (xmr-normal.bat, xmr-unban.bat) remove competing miners, download and extract XMRig, and employ NSSM to register the miner as a persistent service named “c3pool_miner.” Packet captures reveal profiling strings (e.g., “4192MHz”) and an identifier (“heybro123456”), suggesting the operator gauges mining suitability and uses session tokens.
Additional tooling such as kill.exe appears intended to harvest credentials and further reconnaissance, while inconsistent AV labels (e.g., Winnti/ZxShell) have likely reduced visibility in vendor reports. Together, these findings highlight how an established RAT can be adapted for financial gain and reinforce the need for continuous monitoring of open directories, C2 domains, and related indicators.
Read more: https://hunt.io/blog/runningrat-from-remote-access-to-crypto-mining