General
-
Target
a91de2cf1e3983aba4591ade5de60c09.exe
-
Size
6.1MB
-
Sample
221004-p3gx6aahh7
-
MD5
a91de2cf1e3983aba4591ade5de60c09
-
SHA1
7bca47ffd723620f382cc9ac503277481e6d7afa
-
SHA256
4a0354e05e77a9fdd435d70493c99650a8d5452399a058b64951e7b8d544f1a4
-
SHA512
b7a4706433898caaaf854612b8bab6f87d6935b8c58e3e08b1d3c3ee63924341fae50c0acfd59e052a56ac3c0ccc017bd31ecf1f9bcd4362b739ac50b17b3f6e
-
SSDEEP
196608:5bMfbHQ06JaxBEvXUJyXEJDNfZJoExr77dZWoNaUyr:NeH4YxBYXY+sJokFZWLUy
Malware Config
Targets
-
-
Target
a91de2cf1e3983aba4591ade5de60c09.exe
-
Size
6.1MB
-
MD5
a91de2cf1e3983aba4591ade5de60c09
-
SHA1
7bca47ffd723620f382cc9ac503277481e6d7afa
-
SHA256
4a0354e05e77a9fdd435d70493c99650a8d5452399a058b64951e7b8d544f1a4
-
SHA512
b7a4706433898caaaf854612b8bab6f87d6935b8c58e3e08b1d3c3ee63924341fae50c0acfd59e052a56ac3c0ccc017bd31ecf1f9bcd4362b739ac50b17b3f6e
-
SSDEEP
196608:5bMfbHQ06JaxBEvXUJyXEJDNfZJoExr77dZWoNaUyr:NeH4YxBYXY+sJokFZWLUy
Score10/10-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Drops file in System32 directory
-