Overview

overview

10

Static

static

027961bbc5...d8.exe

windows7_x64

1

027961bbc5...d8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    027961bbc5f4cf5e52258528cd36ef50e7289d4874fb761486426f5dbd980cd8

  • Size

    4.9MB

  • Sample

    220524-r6r9eaafcl

  • MD5

    edc66358fbfd4fed0b446f67a229be63

  • SHA1

    9459061611df5469510e0b8b9790cb87fd5abeaf

  • SHA256

    027961bbc5f4cf5e52258528cd36ef50e7289d4874fb761486426f5dbd980cd8

  • SHA512

    52d05eef4c8810c14b393b91e677853e795053bde8f2acad005257260482dafe0cbdf52874da8d0f5a6df4e107758ac0fd4b8ad6f94b79d5a607d52152bba32e

Score
10/10
rmspersistencerattrojanupx

Malware Config

Targets

    • Target

      027961bbc5f4cf5e52258528cd36ef50e7289d4874fb761486426f5dbd980cd8

    • Size

      4.9MB

    • MD5

      edc66358fbfd4fed0b446f67a229be63

    • SHA1

      9459061611df5469510e0b8b9790cb87fd5abeaf

    • SHA256

      027961bbc5f4cf5e52258528cd36ef50e7289d4874fb761486426f5dbd980cd8

    • SHA512

      52d05eef4c8810c14b393b91e677853e795053bde8f2acad005257260482dafe0cbdf52874da8d0f5a6df4e107758ac0fd4b8ad6f94b79d5a607d52152bba32e

    Score
    10/10
    rmspersistencerattrojanupx

    • Modifies WinLogon for persistence

      persistence

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks