Overview

overview

10

Static

static

C8EBEC4136...B7.exe

windows7_x64

10

C8EBEC4136...B7.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C8EBEC4136A41A11AA96976CE1B5D4B01785FF3AC94B7.exe

  • Size

    13.6MB

  • Sample

    210426-tg21ewvjcj

  • MD5

    516fa42131ea944681b66d6373769edf

  • SHA1

    040837f030572bbad6ee8086ce0d5c94a14bcfd4

  • SHA256

    c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c

  • SHA512

    527497acecbbd0aee3be9c4428305e711871ad5c1d7839fa54a4bbc84c7c555e616d4d0850a53e3ef0bb5398aaf7b866904cb33a8ed9fc0151cfc6bcd4284c13

Score
10/10
rmsrattrojan

Malware Config

Targets

    • Target

      C8EBEC4136A41A11AA96976CE1B5D4B01785FF3AC94B7.exe

    • Size

      13.6MB

    • MD5

      516fa42131ea944681b66d6373769edf

    • SHA1

      040837f030572bbad6ee8086ce0d5c94a14bcfd4

    • SHA256

      c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c

    • SHA512

      527497acecbbd0aee3be9c4428305e711871ad5c1d7839fa54a4bbc84c7c555e616d4d0850a53e3ef0bb5398aaf7b866904cb33a8ed9fc0151cfc6bcd4284c13

    Score
    10/10
    rmsrattrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks