rms | b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e | Triage

Submit
Reports

Overview

overview

Static

static

b93f06715d...8e.exe

windows7_x64

b93f06715d...8e.exe

windows10-2004_x64

Sharing

General

Target

b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e
Size

16.3MB
Sample

220329-yyg7ssafh5
MD5

1135af60ec182f12b47d863693b523d2
SHA1

37b2499d55e1be5f09ec1e7e52736aa06a9d3ece
SHA256

b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e
SHA512

1272753edb49149a8e1eed01da1775eaf63c8597a964427f4f9548e2ca934e159acd2b069c0d3beae851d8e8189a59d7c49aac459e67f79cc3b98e5e73ef0cc4

Score

10^/10

rms evasion persistence rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e.exe

Resource

win7-20220331-en

rms evasion persistence rat trojan upx

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e.exe

Resource

win10v2004-20220331-en

rms evasion persistence rat trojan upx

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e
- Size
  
  16.3MB
- MD5
  
  1135af60ec182f12b47d863693b523d2
- SHA1
  
  37b2499d55e1be5f09ec1e7e52736aa06a9d3ece
- SHA256
  
  b93f06715dbac64a7d43fd7014af9eca8baf2f6b9082318fdb0d1c13f88c238e
- SHA512
  
  1272753edb49149a8e1eed01da1775eaf63c8597a964427f4f9548e2ca934e159acd2b069c0d3beae851d8e8189a59d7c49aac459e67f79cc3b98e5e73ef0cc4
Score

10^/10

rms evasion persistence rat trojan upx
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- UAC bypass
  evasion trojan
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

rmsevasionpersistencerattrojanupx

behavioral2

rmsevasionpersistencerattrojanupx

© 2018-2025

Terms | Privacy