rms | 7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4 | Triage

Sharing

General

Target

7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4
Size

6.2MB
Sample

220524-tgnwssgha6
MD5

92b37954eae6bb90e8e08a249e642013
SHA1

272fb78cdb8f6dc6a3b043f891b47658fa399415
SHA256

7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4
SHA512

5f4155d442aff3659406550851ec9dab38f7664e85fb8acca8cf63fff187e2dcdfec9cc4231f98608f6fcb0b306b518038cff19d05599f9efddeb3e539295d76

Score

10^/10

rms persistence rat trojan

Malware Config

Targets

- Target
  
  7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4
- Size
  
  6.2MB
- MD5
  
  92b37954eae6bb90e8e08a249e642013
- SHA1
  
  272fb78cdb8f6dc6a3b043f891b47658fa399415
- SHA256
  
  7d0e9374f7f13302b342c6ee8ebb0b866bc6d82342eba3aed834f1245b1bebc4
- SHA512
  
  5f4155d442aff3659406550851ec9dab38f7664e85fb8acca8cf63fff187e2dcdfec9cc4231f98608f6fcb0b306b518038cff19d05599f9efddeb3e539295d76
Score

10^/10

rms persistence rat trojan
- Modifies WinLogon for persistence
  persistence
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rmspersistencerattrojan

behavioral2

rmspersistencerattrojan