rms

General

Target

2e6075783679f70eaa43fe3eeec3fa6a0aa25a2f4984ea690689ef1dc9342a96
Size

5.4MB
Sample

220520-pty53seffm
MD5

5a5ba329cdf91fd46e3d0f8129cd0c5b
SHA1

8343efb217dab5253e5018aba48b46c2355455ec
SHA256

2e6075783679f70eaa43fe3eeec3fa6a0aa25a2f4984ea690689ef1dc9342a96
SHA512

52247b7ef75abcd1b903eb8b88cc023d2025850b3219a9452c727e9dcbe7960c8ef299d207cadb76378bc0054720c4af5cdc6866bf022abd5ff40b138d35bfdd

Score

10^/10

Malware Config

Targets

- Target
  
  2e6075783679f70eaa43fe3eeec3fa6a0aa25a2f4984ea690689ef1dc9342a96
- Size
  
  5.4MB
- MD5
  
  5a5ba329cdf91fd46e3d0f8129cd0c5b
- SHA1
  
  8343efb217dab5253e5018aba48b46c2355455ec
- SHA256
  
  2e6075783679f70eaa43fe3eeec3fa6a0aa25a2f4984ea690689ef1dc9342a96
- SHA512
  
  52247b7ef75abcd1b903eb8b88cc023d2025850b3219a9452c727e9dcbe7960c8ef299d207cadb76378bc0054720c4af5cdc6866bf022abd5ff40b138d35bfdd
Score

10^/10

rms evasion rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Executes dropped EXE

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2