Extracted

• • Target

    6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2

  • Size

    3.2MB

  • MD5

    f2c77a9133ba9d576b84605e480eb5b4

  • SHA1

    d8e22eeb5cd9e204905580a3d5d3ebc0afd0202a

  • SHA256

    6f1a8ee627ec2ed7e1d818d32a34a163416938eb13a97783a71f9b79843a80a2

  • SHA512

    6f1259012decc3796cf9b62950e4b928b08861120b711595f06c2510cdafb93ff478f25cb2eb29c0679cfdd84d0b325e24fb3739b499401e3cc3468984ecff1e

  Score

  10^/10

  rmssmokeloaderbackdoorpersistencerattrojan

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2