Overview

overview

10

Static

static

8

agent.bin.exe

windows7_x64

10

agent.bin.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11/12/2020, 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    agent.bin.exe

  • Size

    10.9MB

  • MD5

    921f0eb14ea4bb8ec85c307da29a66cd

  • SHA1

    35b61e6d895627a10015dcd4c0d03c4423a02d0d

  • SHA256

    3d0862aa6676aa428e26e0b1c813c090c410b759fa7e9cdf8b0eb9d313d3618c

  • SHA512

    9125f936b12fc3c30be7a33a4d61bde1267f89bd8adee977664759bb410987c0055131187603e5007faaf80ffdd7cd79b46878471eb71fb73a13db81657660d7

Score
10/10
rmsrattrojan

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 9 IoCs
  • JavaScript code in executable 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\agent.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\agent.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rfusclient.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rfusclient.exe" -run_agent
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rutserv.exe
        "C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rutserv.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:296
        • C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rutserv.exe
          "C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rutserv.exe" -second
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rfusclient.exe
            "C:\Users\Admin\AppData\Roaming\RMS Agent\69110\7FBFFEC308\rfusclient.exe" /tray /user
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1084

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/296-17-0x0000000004620000-0x0000000004631000-memory.dmp

    Filesize

    68KB

    Download

  • memory/296-16-0x0000000004210000-0x0000000004221000-memory.dmp

    Filesize

    68KB

    Download

  • memory/296-18-0x0000000004210000-0x0000000004221000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-28-0x00000000040A0000-0x00000000040B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-30-0x00000000040A0000-0x00000000040B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-345-0x0000000004FC0000-0x0000000004FD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-347-0x0000000004FC0000-0x0000000004FD1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-346-0x00000000053D0000-0x00000000053E1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1128-29-0x00000000044B0000-0x00000000044C1000-memory.dmp

    Filesize

    68KB

    Download