rms

General

Target

69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50
Size

18.0MB
Sample

220520-dy81asffc3
MD5

d5ba617663af2cfb3f6330938436b7e0
SHA1

1e196f5deead1761c10e49c06f5b37d486ab9203
SHA256

69516cc15d5538556121c418b0645c6ff58da43ffeaabba875d874520f07bd50
SHA512

67a84df74168521f4beb32a6ffe93f973bcc4a98a7ffdc1c41a38ad6b569b16c354fbc4532a5b0fa38c0a87ec390d8232c842d8669cd7f225fcd860fc9158a6a

Score

10^/10

Malware Config

Targets

- Target
  
  stardock_iconpackager_5.10/Stardock IconPackager 5.10.032.exe
- Size
  
  974KB
- MD5
  
  f6cd9278cb1f9fa3eb2709ef6b6f782f
- SHA1
  
  a69f07dc811c518c8165cf675b9db23461bafbb6
- SHA256
  
  af380b244306d5b1b4354f267647655e885b12506fd288ed68121aae2951217b
- SHA512
  
  01e64d742a8407a31abedde452c388c2b4fb53cbcffb141712f0ac84bf99a339acf5b6778b197db53f8acc18d2bb85c50c0c8d190be877623291c0f42dc45efe
Score

10^/10

rms aspackv2 discovery evasion persistence rat spyware stealer trojan upx
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Windows security bypass
  evasion trojan
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  stardock_iconpackager_5.10/data.bin
- Size
  
  6.3MB
- MD5
  
  8781d9edf71b6d2cf0460c6521527947
- SHA1
  
  32d6daabfd8520f677a2befa593d273b6355d6ac
- SHA256
  
  2b591db4bb9ff8be15d6b248b581aa1deddd4d4f39f0a3d80054b977bb1597ec
- SHA512
  
  5e8c69366224226524d8cc7b5d2d38c0c68738ab0e9eb6f5c968ead586cdf8bda14bed83f02c7994e4a315d92f67e9b484c8b621c07c37be4d5a8a6d7bfbacbf
Score

1^/10
behavioral3 behavioral4
- Target
  
  stardock_iconpackager_5.10/data0.bin
- Size
  
  11.5MB
- MD5
  
  d257e72ad3ccc177e0a2a522e59742fa
- SHA1
  
  43fc2b65c00258016184c384f9ffcd2900be75a8
- SHA256
  
  cdd844f788eadf0b526c56b129f1d1035c3b5863c3d13f6afad34f5625edaf07
- SHA512
  
  cf4b0e1f9e38de3edaa9731a327fe244eb40d359f83947be8f5c45c78a97df662e6a5e3145c4148c3e7c44d39a4527a0961e7c23db72767e6ee3a4a769fb739e
Score

1^/10
behavioral5 behavioral6