Overview

overview

10

Static

static

8046f1d793...7e.exe

windows7-x64

10

8046f1d793...7e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8046f1d7935e9a1b3b3a426f1ef001b087c7aab8c55834dbb48eb3a0da40007e

  • Size

    3.3MB

  • Sample

    221129-r1qtdshd99

  • MD5

    d5d9043d6ddff5cc436e065d447531a5

  • SHA1

    21ccbed51c717ca3e5605dad8df2e73772b51ff9

  • SHA256

    8046f1d7935e9a1b3b3a426f1ef001b087c7aab8c55834dbb48eb3a0da40007e

  • SHA512

    cc7392bc0191857c5dc6921db083330b18ea99523372e5270ee92aef0ef0b061e99dd846572e2a85fa4f227022fa8594db14c68ae992eeaadba41463ebfe3ce9

  • SSDEEP

    49152:QAJYaS9FFNGvLR9Zn8tIGRH3pLsDzTMbp8TbyGPkGzki0l+ROOROhRpFSS21MzvE:7JYZFU9ZfG3YDzTt9cGzki2adRU+tW4

Score
10/10
rmscollectiondiscoveryevasionratspywarestealertrojan

Malware Config

Targets

    • Target

      8046f1d7935e9a1b3b3a426f1ef001b087c7aab8c55834dbb48eb3a0da40007e

    • Size

      3.3MB

    • MD5

      d5d9043d6ddff5cc436e065d447531a5

    • SHA1

      21ccbed51c717ca3e5605dad8df2e73772b51ff9

    • SHA256

      8046f1d7935e9a1b3b3a426f1ef001b087c7aab8c55834dbb48eb3a0da40007e

    • SHA512

      cc7392bc0191857c5dc6921db083330b18ea99523372e5270ee92aef0ef0b061e99dd846572e2a85fa4f227022fa8594db14c68ae992eeaadba41463ebfe3ce9

    • SSDEEP

      49152:QAJYaS9FFNGvLR9Zn8tIGRH3pLsDzTMbp8TbyGPkGzki0l+ROOROhRpFSS21MzvE:7JYZFU9ZfG3YDzTt9cGzki2adRU+tW4

    Score
    10/10
    rmscollectiondiscoveryevasionratspywarestealertrojan

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Exfiltration

Command and Control

Impact

Tasks