rms | f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df | Triage

Submit
Reports

Overview

overview

Static

static

f63cb63580...df.exe

windows7-x64

f63cb63580...df.exe

windows10-2004-x64

Sharing

General

Target

f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df
Size

2.0MB
Sample

221124-e89v1shf58
MD5

11d06c992e460873209753ac74c7ab6c
SHA1

1fb3b05fc348bcf1042d8db1f72dda141aeab7d1
SHA256

f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df
SHA512

98b469f6500aa367d70cdf1048ce49ce421f75909dfc6c00be0bbc03009f989c122a1dc1a1f4c03756f7204bce8f3f41c49788dac17f73c5cbc8a9522185f905
SSDEEP

49152:AOH5bKbqBFyLmP/aTX8fO3GOOvEG5zRL0W2B23+aDrv:AOZ/VK7l2OgL0g+aDj

Score

10^/10

rms evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df.exe

Resource

win7-20220812-en

rms evasion persistence rat trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df.exe

Resource

win10v2004-20221111-en

rms evasion persistence rat trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df
- Size
  
  2.0MB
- MD5
  
  11d06c992e460873209753ac74c7ab6c
- SHA1
  
  1fb3b05fc348bcf1042d8db1f72dda141aeab7d1
- SHA256
  
  f63cb635800af0847c1c734fac6721903314438945e1e6bcfe2eca3a36a9f7df
- SHA512
  
  98b469f6500aa367d70cdf1048ce49ce421f75909dfc6c00be0bbc03009f989c122a1dc1a1f4c03756f7204bce8f3f41c49788dac17f73c5cbc8a9522185f905
- SSDEEP
  
  49152:AOH5bKbqBFyLmP/aTX8fO3GOOvEG5zRL0W2B23+aDrv:AOZ/VK7l2OgL0g+aDj
Score

10^/10

rms evasion persistence rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsevasionpersistencerattrojan

behavioral2

rmsevasionpersistencerattrojan

© 2018-2024

Terms | Privacy