rms | 42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86 | Triage

Submit
Reports

Overview

overview

Static

static

42764c8930...86.exe

windows7-x64

42764c8930...86.exe

windows10-2004-x64

8

Sharing

General

Target

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86
Size

6.3MB
Sample

221127-s5r3pahd46
MD5

c487df0d8110c309c1ea8a872c4430e0
SHA1

21bb67055523e00966a8915581d1fb54f3f26c70
SHA256

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86
SHA512

d4d4ea62daf89492613fb98c584978e4d0faa52196564a9312f7780a0bcf6141139afb3ec99791a66eac9d6963c75dae8076f994748d453f6fa243539d57c8fd
SSDEEP

196608:zgBdvBXdjCKRk81r3nONoG0pRzxMFrQj+:UnvBXH1r3nOx0pRSv

Score

10^/10

rms evasion rat trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe

Resource

win7-20220812-en

rms evasion rat trojan upx

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86.exe

Resource

win10v2004-20221111-en

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86
- Size
  
  6.3MB
- MD5
  
  c487df0d8110c309c1ea8a872c4430e0
- SHA1
  
  21bb67055523e00966a8915581d1fb54f3f26c70
- SHA256
  
  42764c8930911975e5f7cf67d00cd3197f0afc7610580945222b4761c53e3e86
- SHA512
  
  d4d4ea62daf89492613fb98c584978e4d0faa52196564a9312f7780a0bcf6141139afb3ec99791a66eac9d6963c75dae8076f994748d453f6fa243539d57c8fd
- SSDEEP
  
  196608:zgBdvBXdjCKRk81r3nONoG0pRzxMFrQj+:UnvBXH1r3nOx0pRSv
Score

10^/10

rms evasion rat trojan upx
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Disables taskbar notifications via registry modification
  evasion
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmsevasionrattrojanupx

behavioral2

© 2018-2024

Terms | Privacy