General

  • Target

    agent-7.1.7.0.exe

  • Size

    17.1MB

  • Sample

    230201-s8cr6sad83

  • MD5

    254e7d77f5a53bd4094885703d2cf85e

  • SHA1

    36dd3760caec9f0f3caee51709668e7f575c759e

  • SHA256

    9c1228a391859ca63161ace42cc9b9024df443529828a89311dc9b675e3a916e

  • SHA512

    4790d86f8d389bb578e8edc08bd5ee60d5dfd7c13fc1da96ae3c575ec1c536fc664edf2e5126777a95813723e0260c79691ca63911144322b1baf87e7c851541

  • SSDEEP

    393216:g4wcVTVM9WdAtO2X8T5M89qkfNRIjd6FsqN/OyBnuvH6p0:BwK9dAt58ThqppU/O2wH5

Malware Config

Targets

    • Target

      agent-7.1.7.0.exe

    • Size

      17.1MB

    • MD5

      254e7d77f5a53bd4094885703d2cf85e

    • SHA1

      36dd3760caec9f0f3caee51709668e7f575c759e

    • SHA256

      9c1228a391859ca63161ace42cc9b9024df443529828a89311dc9b675e3a916e

    • SHA512

      4790d86f8d389bb578e8edc08bd5ee60d5dfd7c13fc1da96ae3c575ec1c536fc664edf2e5126777a95813723e0260c79691ca63911144322b1baf87e7c851541

    • SSDEEP

      393216:g4wcVTVM9WdAtO2X8T5M89qkfNRIjd6FsqN/OyBnuvH6p0:BwK9dAt58ThqppU/O2wH5

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks