rms | 9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e | Triage

Submit
Reports

Overview

overview

Static

static

8

9aab6acf78...3e.exe

windows7-x64

9aab6acf78...3e.exe

windows10-2004-x64

Sharing

General

Target

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
Size

4.0MB
Sample

221127-17c1jsge5s
MD5

c613714d39e2b2bcb8c5d7a6036145ef
SHA1

3eef6909f3f8367cc8336f7af00704cf662d6546
SHA256

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
SHA512

af61bf7d26f2ed448042f56ce9d597e1289a535c4266ef713b0bc348467a602ec06dbc25b494dd056eacee22567687fce1417d1dc22ec27ada46009f818569cf
SSDEEP

98304:MeRrH4bOQgJ0PT+kab/bjoecLdvetq0WoNVs/7eiKo8:MeRrHLxJiT+kaLZostq0WoNweiKo8

Score

10^/10

rms evasion persistence rat trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe

Resource

win7-20221111-en

rms evasion persistence rat trojan upx

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e.exe

Resource

win10v2004-20220901-en

rms evasion persistence rat trojan upx

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
- Size
  
  4.0MB
- MD5
  
  c613714d39e2b2bcb8c5d7a6036145ef
- SHA1
  
  3eef6909f3f8367cc8336f7af00704cf662d6546
- SHA256
  
  9aab6acf786572e3013cee6ae05915bdf2a4e86da166897ddd030042c233593e
- SHA512
  
  af61bf7d26f2ed448042f56ce9d597e1289a535c4266ef713b0bc348467a602ec06dbc25b494dd056eacee22567687fce1417d1dc22ec27ada46009f818569cf
- SSDEEP
  
  98304:MeRrH4bOQgJ0PT+kab/bjoecLdvetq0WoNVs/7eiKo8:MeRrHLxJiT+kaLZostq0WoNweiKo8
Score

10^/10

rms evasion persistence rat trojan upx
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsevasionpersistencerattrojanupx

behavioral2

rmsevasionpersistencerattrojanupx

© 2018-2024

Terms | Privacy