rms | 283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512 | Triage

Submit
Reports

Overview

overview

Static

static

283c08a771...12.exe

windows7-x64

283c08a771...12.exe

windows10-2004-x64

Sharing

General

Target

283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512
Size

2.3MB
Sample

221122-xvbp6sea24
MD5

51b63624539d377d79a619208b2cc795
SHA1

15da4757cf87574eee4fb4538bed3639f83f9ddb
SHA256

283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512
SHA512

83115bb2a56e85b59cce5c8bd346667efe8416f959e751c959b1802a48e3c53f8e4c5f057b2f86a9a9563f5e6f85429fd82651b1dc66c433565b99cc25c43a4e
SSDEEP

49152:WlmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fN:Wlm382GCbKeWyjUBLL2dT/xoWUT

Score

10^/10

rms evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe

Resource

win7-20221111-en

rms evasion persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512.exe

Resource

win10v2004-20221111-en

rms evasion persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512
- Size
  
  2.3MB
- MD5
  
  51b63624539d377d79a619208b2cc795
- SHA1
  
  15da4757cf87574eee4fb4538bed3639f83f9ddb
- SHA256
  
  283c08a771c7fb18463294ae3b75b07449c3c07a2b45f63ae9831d8709b10512
- SHA512
  
  83115bb2a56e85b59cce5c8bd346667efe8416f959e751c959b1802a48e3c53f8e4c5f057b2f86a9a9563f5e6f85429fd82651b1dc66c433565b99cc25c43a4e
- SSDEEP
  
  49152:WlmMc8EjGCbKeaoK94jmPBLeL7gBfi/4gXkc/hbHorCUm0fN:Wlm382GCbKeWyjUBLL2dT/xoWUT
Score

10^/10

rms evasion persistence rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsevasionpersistencerattrojan

behavioral2

rmsevasionpersistencerattrojan

© 2018-2024

Terms | Privacy