rms | 8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869 | Triage

Submit
Reports

Overview

overview

Static

static

Internet-Win7-30min

windows7_x64

Resubmissions

25-06-2021 19:32

210625-6wc8e9cwj2 8

17-01-2021 18:55

210117-eh6j4sptaa 10

22-12-2020 13:14

201222-pnne3mqwlx 10

Sharing

General

Target

MicrosoftUpdate.hta
Size

26KB
Sample

201222-pnne3mqwlx
MD5

12cd7a34e347311c7f07b5b10adb1266
SHA1

fc35180c4e3f0e95e02b163ddbd79ce4151e3ee4
SHA256

8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869
SHA512

31e4558f4fa8e9adc1e288b025ad3085f89abf3a89bb6a3857cea773c25cd97efb01cb5e814dc6f91766042f7ce1f007e621b84f09500d3672d5828a584c0e38

Score

10^/10

rms aspackv2 discovery evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

MicrosoftUpdate.hta

Resource

win7v20201028

rms aspackv2 discovery evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  MicrosoftUpdate.hta
- Size
  
  26KB
- MD5
  
  12cd7a34e347311c7f07b5b10adb1266
- SHA1
  
  fc35180c4e3f0e95e02b163ddbd79ce4151e3ee4
- SHA256
  
  8e911752a92e891fd37232961a6d23e3af83f3ea015389a99df9cad6c9e3f869
- SHA512
  
  31e4558f4fa8e9adc1e288b025ad3085f89abf3a89bb6a3857cea773c25cd97efb01cb5e814dc6f91766042f7ce1f007e621b84f09500d3672d5828a584c0e38
Score

10^/10

rms aspackv2 discovery evasion persistence rat trojan upx
- Modifies WinLogon for persistence
  persistence
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocklisted process makes network request
- Executes dropped EXE
- Sets file execution options in registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsaspackv2discoveryevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy