General
-
Target
84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
-
Size
8.9MB
-
Sample
220502-d6schsbdh7
-
MD5
dc586ad2525632b7febeabf20aec7bd7
-
SHA1
39ff748b2e7549af9c75baf434ff4829fb3bd98b
-
SHA256
84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
-
SHA512
75acebdaa24ce7b1910e710a0d984bf2b942b35a4ca059668841a7b543dcf1b103c053e90288d4b977e9087e0379566b8f0afbb953efaa62e0cfff7d758b171d
Malware Config
Targets
-
-
Target
84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
-
Size
8.9MB
-
MD5
dc586ad2525632b7febeabf20aec7bd7
-
SHA1
39ff748b2e7549af9c75baf434ff4829fb3bd98b
-
SHA256
84c8997a3415bb0a8bddeaecfd0452140575aba26ba2bb1d124a3781e8c42add
-
SHA512
75acebdaa24ce7b1910e710a0d984bf2b942b35a4ca059668841a7b543dcf1b103c053e90288d4b977e9087e0379566b8f0afbb953efaa62e0cfff7d758b171d
Score10/10-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-