rms | 98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423 | Triage

Submit
Reports

Overview

overview

Static

static

officedepl...30.exe

windows7-x64

officedepl...30.exe

windows10-2004-x64

Sharing

General

Target

officedeploymenttool_15330-20230.exe
Size

4.4MB
Sample

220831-c3y58ahca7
MD5

ad65a509881ef712234bb07cb1165a46
SHA1

519a968fe267b9bf77f7ff2ba1074e8e20202d60
SHA256

98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423
SHA512

eb584be09f95f292b9cf4197685ad8762f84e39c4308eb0dfbfde2b82482cb58f13cbbde6bd49d3ad5d52bf96a8fea068de3d960a06242f25eb85d933ca322fd
SSDEEP

98304:HXz+89bq0C+fRXzclLI6bei3yTu8HsXwKcuj:3K8Bq0DfaN/3yTSAUj

Score

10^/10

rms discovery persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

officedeploymenttool_15330-20230.exe

Resource

win7-20220812-en

rms discovery persistence rat trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

officedeploymenttool_15330-20230.exe

Resource

win10v2004-20220812-en

rms discovery persistence rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  officedeploymenttool_15330-20230.exe
- Size
  
  4.4MB
- MD5
  
  ad65a509881ef712234bb07cb1165a46
- SHA1
  
  519a968fe267b9bf77f7ff2ba1074e8e20202d60
- SHA256
  
  98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423
- SHA512
  
  eb584be09f95f292b9cf4197685ad8762f84e39c4308eb0dfbfde2b82482cb58f13cbbde6bd49d3ad5d52bf96a8fea068de3d960a06242f25eb85d933ca322fd
- SSDEEP
  
  98304:HXz+89bq0C+fRXzclLI6bei3yTu8HsXwKcuj:3K8Bq0DfaN/3yTSAUj
Score

10^/10

rms discovery persistence rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsdiscoverypersistencerattrojan

behavioral2

rmsdiscoverypersistencerattrojan

© 2018-2024

Terms | Privacy