rms | 0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc

Analysis

max time kernel
23s
max time network
173s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
Size

4.1MB
MD5

5fb9e7b8488d2371d19cc23dc8a5773d
SHA1

fa908ea90cd99bea6290a62ebf4c53140e43fbf0
SHA256

0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc
SHA512

c6a9785f151267eeba0276c06019ea2adc18fe6fa4d9bd7ed3cb1072c793ecb7f08aad68c5d2ba7b75cb9c30c625169c5fe7522d52c22ff150a9b889a2f1b6dd

Score

10^/10

rms rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a0000000122ca-102.dat	acprotect

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000122d0-103.dat	upx
behavioral1/files/0x000a0000000122ca-102.dat	upx

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\vp8decoder.dll	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\install.bat	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\__tmp_rar_sfx_access_check_7105502	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\rutserv.exe	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\install.vbs	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\vp8decoder.dll	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\vp8encoder.dll	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\vp8encoder.dll	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\regedit.reg	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\install.bat	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\install.vbs	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\rfusclient.exe	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\rutserv.exe	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File created	C:\Program Files\Java\regedit.reg	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
File opened for modification	C:\Program Files\Java\rfusclient.exe	0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1508	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1724	taskkill.exe
1868	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1340	regedit.exe

C:\Users\Admin\AppData\Local\Temp\0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe
"C:\Users\Admin\AppData\Local\Temp\0aac63a17439f31adb411a8d7de0cf2b1316fc2d9a5e3166fb74dc1053c805fc.exe"
1⤵
- Drops file in Program Files directory
PID:916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\program files\java\install.vbs"
  2⤵
  PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files\Java\install.bat" "
    3⤵
    PID:2036
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "regedit.reg"
      4⤵
      Runs .reg file with regedit
      PID:1340
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im rfusclient.exe
      4⤵
      Kills process with taskkill
      PID:1868
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /silentinstall
      4⤵
      PID:828
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /firewall
      4⤵
      PID:596
  - - \??\c:\program files\java\rutserv.exe
      rutserv.exe /start
      4⤵
      PID:1076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
1⤵
- Kills process with taskkill
PID:1724

\??\c:\program files\java\rutserv.exe
"c:\program files\java\rutserv.exe"
1⤵
PID:704
- \??\c:\program files\java\rfusclient.exe
  "c:\program files\java\rfusclient.exe" /tray
  2⤵
  PID:1744
- \??\c:\program files\java\rfusclient.exe
  "c:\program files\java\rfusclient.exe"
  2⤵
  PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\rutserv.exe

Filesize
265KB

MD5
004a6b5cf70bb7b11eb6142c09bc7427

SHA1
8b72b1fc1fd3356895613a290fb0acab2ac106f7

SHA256
bb553bbc15b7b74a02ebc5ac79ad9cf41e7f7cfd3f4ded8ac537a47d8fc6cd8e

SHA512
40c84c44126ace65b53e54d7858f3e214876f7027b1d764a7998945e845c5890cfea8ded0f4775888de6e5bb153d2b65b40563c89d91df3cafe1ffad805e6963

Download Submit
C:\Program Files\Java\rutserv.exe

Filesize
289KB

MD5
b12cab87e3a56b03eeb4243676d2df3b

SHA1
d6fea2f037fdfdc4e10f0d0c211cef33804aca31

SHA256
2ab28e99547eefc63059df24243d070bb53023fecb6de227eebb68e1d822360b

SHA512
2cd46fc61065955a9d91b5c113b491f44a8e8fd79c3e7b24607077729a7962154bf21a34735aed68b903141e67f16d213a6ea3ef6e447d63fa0332920d813a6f

Download Submit
C:\Program Files\Java\rutserv.exe

Filesize
161KB

MD5
0019b0b26f0e16130bfc76f96985b5aa

SHA1
f555a80918513af7f510107579ded3c3536f72a2

SHA256
c5c6116ff706278a764f198334e7e86ebaacee28d85c68c7246c51aed0aefb67

SHA512
a260f95f6f97a5e2806c99f90fe979666b6f379f7d77656cd1a669641c6354468b8121bd0adc9a9891874b2cf9259b5a8b4cb94c6e6ef86dd52ecdec97578a78

Download Submit
\??\c:\program files\java\regedit.reg

Filesize
11KB

MD5
ea6dcdc7e952c392b407f7a2d447d3bf

SHA1
76655bf9d5e158a18f8c8c69887134605592e708

SHA256
daf75b59058b4851401e4bf6091b99ec8865061280863db18c68f324e8d510a8

SHA512
2ebca990a6f30d1dd4e5d2623890c6bfa361e21fb156d39ef6a01768cd2d1afefe8d134a6f05928e8aae2c53ef04a87d8df33555c00ccdbbe744930dbf253ccd

Download Submit
\??\c:\program files\java\rfusclient.exe

Filesize
322KB

MD5
9babe51ccc823e223d97d5c63ddeb729

SHA1
6597e9babb9c5c59b926be8819753e4280beac5a

SHA256
b774a46304d9cee2c6803c54721ec3ec75e09a536145d1ea322bb4d7dc04bf01

SHA512
2217404165140e0cb15470a9e5321847b1e8516835fbd86e59d1d1721d4aff29fdc9caa834da75ab7f9496bc20e61eba31e4031c5ecc31f88019b8dd83d30f33

Download Submit
\??\c:\program files\java\rutserv.exe

Filesize
429KB

MD5
a0e804f672a5cc6280731972f9c12e5e

SHA1
9e7fe2466715f10d0ed66e6d7b6ac07c62d0e285

SHA256
775b2ecb5e7848b73d91d9aeb35b07b8efe7426da1614a5b64c201733b383388

SHA512
ca23705db0acbc8d63b585996c263c8c4c39148debe39e66f2ab8b8b2518e3cf0e28a506aea1d5a640afcbae13eb90e705ef0cf1cfe755017a1d9e977291a6b5

Download Submit
\??\c:\program files\java\vp8decoder.dll

Filesize
155KB

MD5
88318158527985702f61d169434a4940

SHA1
3cc751ba256b5727eb0713aad6f554ff1e7bca57

SHA256
4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74

SHA512
5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff

Download Submit
\??\c:\program files\java\vp8encoder.dll

Filesize
179KB

MD5
71f5c6bdb179450ddf0c3ab1a1d23e02

SHA1
8da6a40edd7b59f1a9b3de713e7e4c7ca4591a0b

SHA256
04155ef647dbcaf09ec26ac7da76e37cde4d017970a9eee483afe450babceb56

SHA512
0c579d5e33e86de47a734ad043989c7abe5ce57f87b3b362b68a94b6395091ca7704f75471adfbcc4265e2c1be3ba4305ee6bf610ae5909923be16147030c1b6

Download Submit
\Program Files\Java\rfusclient.exe

Filesize
324KB

MD5
9b022ea0f8f46de43fb1d2ccffbf4ef1

SHA1
196033737665b92991bbdc049c6e6e2fa4728253

SHA256
367cf421a3ecab130b29dc943d99fc3fb9ee7ea3648eaba50cf74483d96a8930

SHA512
173e868bdc8fbe91c8a0ac3d5203d50dd061f293f369ee036b36fe0a28696b3684623bb01b3266725c920694da8d8bda3af6e3ee053e4b21e22040db7397327f

Download Submit
\Program Files\Java\rfusclient.exe

Filesize
256KB

MD5
7e814dc41c2ad9e5d2217cb3b644f1a9

SHA1
3410a139796e37cfd921f0fd77d89ce4bd4f690d

SHA256
2094f2634b5f37e4d1d24ac7d08d454ad0572eb965434b6075d2b26c2a3f854e

SHA512
1187dda1959d1bf3d4e33908cb8175660f54fccb4340278083324ff066fa373d0abd2b86f31a2eae2e938ca5b9f17dc52771fe6ace8641170a867088f41792fd

Download Submit
\Program Files\Java\rutserv.exe

Filesize
217KB

MD5
c104b45ac7656f5eae950e38343a77d5

SHA1
299d770ed6d14e2aba0107cf471e592c7bcafcec

SHA256
c9ce5ff45075b73452ef050845cf7620866aec801ef26599691cd313bd3d87c0

SHA512
e21eef90688d8596abba96fb2e6f18bb491aad26bd202cb112731247bb2d57cc8e8e431aae863eb6e227d62213617765d231a71849c093d4c466c3390c1ee006

Download Submit
memory/596-83-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/596-86-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/596-82-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/596-84-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/596-85-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/596-81-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/704-97-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/704-101-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/704-99-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/704-98-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/704-100-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-72-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-75-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-74-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-76-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-77-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/828-73-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/916-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1076-92-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1076-90-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1076-94-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1076-91-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1076-93-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/1076-112-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download