rms | 909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20 | Triage

Submit
Reports

Overview

overview

Static

static

909ab00f91...20.exe

windows7-x64

909ab00f91...20.exe

windows10-2004-x64

Sharing

General

Target

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20
Size

3.3MB
Sample

221205-hw3gysfe99
MD5

524ee4b4df67328653740a764f86a94e
SHA1

cdd5153de9b9090b1e5c271a0d0fdb8374746162
SHA256

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20
SHA512

72bdb65abb69e1de05fe7be012f28d4fdb4e3842329c497216624908e3e7e1b50d7aa6f4540e991b6fc59a594931d2315192d0e0dafcd666a68caa020a00579f
SSDEEP

98304:7JYC4BP0AwP4unYP+0O8NPKDUDpQCOfCJ+N4dP5CVSu2:7JYBP0Oo8DDpS6Y4c32

Score

10^/10

rms collection discovery evasion rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe

Resource

win7-20220812-en

rms collection discovery evasion rat spyware stealer trojan

windows7-x64

25 signatures

150 seconds

Behavioral task

behavioral2

Sample

909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20.exe

Resource

win10v2004-20220812-en

rms collection discovery evasion rat spyware stealer trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20
- Size
  
  3.3MB
- MD5
  
  524ee4b4df67328653740a764f86a94e
- SHA1
  
  cdd5153de9b9090b1e5c271a0d0fdb8374746162
- SHA256
  
  909ab00f91ab72f4637de733e534bfefacdaef4d66217353726148f73cd13a20
- SHA512
  
  72bdb65abb69e1de05fe7be012f28d4fdb4e3842329c497216624908e3e7e1b50d7aa6f4540e991b6fc59a594931d2315192d0e0dafcd666a68caa020a00579f
- SSDEEP
  
  98304:7JYC4BP0AwP4unYP+0O8NPKDUDpQCOfCJ+N4dP5CVSu2:7JYBP0Oo8DDpS6Y4c32
Score

10^/10

rms collection discovery evasion rat spyware stealer trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Hidden Files and Directories

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

rmscollectiondiscoveryevasionratspywarestealertrojan

behavioral2

rmscollectiondiscoveryevasionratspywarestealertrojan

© 2018-2024

Terms | Privacy