Overview

overview

10

Static

static

496e28699c...0c.exe

windows7_x64

10

496e28699c...0c.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    496e28699c4e3dca2f63c54c4d363198d2103730cd5e271c2d1183f4d790310c

  • Size

    4.2MB

  • Sample

    220309-v8f6psbcb4

  • MD5

    485d2a5b96a92cec418b5afe5ee8f4ba

  • SHA1

    0197ba259de9128a152e204d00c0c7a29485459b

  • SHA256

    496e28699c4e3dca2f63c54c4d363198d2103730cd5e271c2d1183f4d790310c

  • SHA512

    4543af83d116e5dcc711080533ed441eb2841851da0fef62861c6cc7ce09bc49de50ba0d5a5f15fdec11a52a7eadeac2da8d6d79286eb67d9ab05755e4ba479f

Score
10/10
rmsevasionpersistencerattrojan

Malware Config

Targets

    • Target

      496e28699c4e3dca2f63c54c4d363198d2103730cd5e271c2d1183f4d790310c

    • Size

      4.2MB

    • MD5

      485d2a5b96a92cec418b5afe5ee8f4ba

    • SHA1

      0197ba259de9128a152e204d00c0c7a29485459b

    • SHA256

      496e28699c4e3dca2f63c54c4d363198d2103730cd5e271c2d1183f4d790310c

    • SHA512

      4543af83d116e5dcc711080533ed441eb2841851da0fef62861c6cc7ce09bc49de50ba0d5a5f15fdec11a52a7eadeac2da8d6d79286eb67d9ab05755e4ba479f

    Score
    10/10
    rmsevasionpersistencerattrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks