Overview

overview

10

Static

static

e66e0ee41b...2e.exe

windows7_x64

10

e66e0ee41b...2e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

  • Size

    6.4MB

  • Sample

    210508-6z6skwhkf2

  • MD5

    41253bfee19b9631d3c508621fc9deb6

  • SHA1

    045398163ddb346eca0636bc7f9acc58f993c1e9

  • SHA256

    e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

  • SHA512

    851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

Score
10/10
rmspersistencerattrojan

Malware Config

Targets

    • Target

      e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    • Size

      6.4MB

    • MD5

      41253bfee19b9631d3c508621fc9deb6

    • SHA1

      045398163ddb346eca0636bc7f9acc58f993c1e9

    • SHA256

      e66e0ee41b023384c74de2b9d302275094707ed4ad74e564b0932652ff9a7f2e

    • SHA512

      851dc55ffb8263f5bfcad9537fb81c5d4168d2d96bd29f085b785405216b348d99aabee102522dec587a9c70ff1486f67f052c167e0dd39e01be85329466d9c5

    Score
    10/10
    rmspersistencerattrojan

    • Modifies WinLogon for persistence

      persistence

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks