rms

Sharing

Copy URL

Twitter E-mail

General

Target

KMS Tools Portable (2).zip
Size

168.0MB
Sample

230411-wddb1aea79
MD5

d4f69c9e7efb20ec789e45b829e2b542
SHA1

43715328ac2eb50c31a075cd4ed02d33c626140b
SHA256

3611d70fd0636f5858bd4d436e75e4afc9fc8763a034254ad6d5033f4a64ef84
SHA512

36d042b636530f3eb4bc31128b7d12905f2976df718d1d834c3476f75a8658c036c4060645ca2b9be8e9e7f2cec7c45e692040883af0332d9aaa556a24f4f865
SSDEEP

3145728:kJCHBM+DyG4HQqJMK/IoUoN2u1U1qjp6R6cPRfsG3NoZmp+paWrjfpNOn:kwHBVyGvqTXo1qFIZ5/dSgW5NOn

Score

10^/10

Malware Config

Targets

- Target
  
  KMS Tools Portable (2).zip
- Size
  
  168.0MB
- MD5
  
  d4f69c9e7efb20ec789e45b829e2b542
- SHA1
  
  43715328ac2eb50c31a075cd4ed02d33c626140b
- SHA256
  
  3611d70fd0636f5858bd4d436e75e4afc9fc8763a034254ad6d5033f4a64ef84
- SHA512
  
  36d042b636530f3eb4bc31128b7d12905f2976df718d1d834c3476f75a8658c036c4060645ca2b9be8e9e7f2cec7c45e692040883af0332d9aaa556a24f4f865
- SSDEEP
  
  3145728:kJCHBM+DyG4HQqJMK/IoUoN2u1U1qjp6R6cPRfsG3NoZmp+paWrjfpNOn:kwHBVyGvqTXo1qFIZ5/dSgW5NOn
Score

1^/10
behavioral1 behavioral2
- Target
  
  KMS Tools Portable/Add_Defender_Exclusion.cmd
- Size
  
  1KB
- MD5
  
  38214e2bb08731ec3c69fa4c9ca86ef3
- SHA1
  
  e33f8d9852ab41bd9f2a545fb57cc7450c58f234
- SHA256
  
  908400a2ca52592d52d62daf9925dae7dc805e64ef613280b00711132ff99c54
- SHA512
  
  c675f4e66aca3a81affbad0252da343dd506ebb06069609d5a84a14a590cb6a66d5cea9939396eae6e64a45d00e2862008c587c700373b72cc280c07ef039e24
Score

1^/10
behavioral3 behavioral4
- Target
  
  KMS Tools Portable/KMS Tools Portable.chm
- Size
  
  645KB
- MD5
  
  16498d20922a580ad81241d9cf7dcdf0
- SHA1
  
  dc05b5089e993e85ee8e10b174a15f6bb03e2532
- SHA256
  
  7fbcbf065ce1626694df8c443c377d0478cf32601fe74b0fd742fbcfb4f94a3f
- SHA512
  
  5696b2c214311bc1e6f77ff77109d85fd15dbaf04b0ebbca67bcfb3fd054f85ee7c4dfde489dd2ae87a311f39a2fc14d9849ccaf4caeea7c03d88de5973594fa
- SSDEEP
  
  12288:05sHaRh+WTUuOGNfLecMT1oDe68MCUPAQiAnmApgxGhh/meSiPAF7:05rtTUgtLmordPACnmggonRYt
Score

1^/10
behavioral5 behavioral6
- Target
  
  KMS Tools Portable/KMS Tools Unpack.exe
- Size
  
  5.9MB
- MD5
  
  121bedb65ed2fa262971f41652e0210a
- SHA1
  
  a9bd0e456060e5cd043523bf435d7b83973d02be
- SHA256
  
  f62bd249cf9234a478147ea330b8dfa8900e850a0e9333fe37a91d0b7176821b
- SHA512
  
  c0b8b39308d86f7773a1dea1b4e17926b5ad97945a705128696a0f9a1d5ffda76198b3af39202822a2482602d539e83c250a3460f9fab1e8b76f0b86f9edd7d1
- SSDEEP
  
  98304:ZIsszycPJOToAeYcR3Y/02DXY4QpFEkEAivmKp7FzMlEIJ1bDRz/nD13r:LcxO5h/02tqFlvKp7lgd3N17
Score

10^/10

rms evasion persistence rat themida trojan xmrig miner
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies Windows Defender notification settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Stops running service(s)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  KMS Tools Portable/KMSAuto++.ini
- Size
  
  2KB
- MD5
  
  29e5952fbda620baeb4d7e5dd3a307c4
- SHA1
  
  5e3e93a034add921ab4ecd3f5fd2ab9cd5c58354
- SHA256
  
  ee3b490ea7459675bcf0595946cc9d329e282c770b183795a6818f9033c212db
- SHA512
  
  a93c5b2be1e52e5943ac2a30b1d4b37a0f85d22c47cf0b33c6b93c918dffbff23e8d3e4487e4a2038d10ce416dc59b47ccee3e717a70635e982168466c1cdc43
Score

1^/10
behavioral10 behavioral9
- Target
  
  KMS Tools Portable/data0.bin
- Size
  
  104.8MB
- MD5
  
  0a30f9cd71d28c72875a3915a22e1ee6
- SHA1
  
  4e7583b537f20d9f161763ee218d23b06ff4c025
- SHA256
  
  771ba033df3a2af55d26d355971e2cb22b4efd00ab805afe5388ecc8a0115981
- SHA512
  
  16d489d6656120830255a7281d8029aeab770a1f18c0e74cbaad07cbb9d79fbe22ed828026a1d35bb6d8a8629842fd5fca27313928141e71bed764e16665d1df
- SSDEEP
  
  1572864:RFcVlRJaNv5IUf88ubsMWKq1wDdQCUQteX+HTrYXT9mjVm3lWdkc2oDD9EZHCPaE:8JaNvqUpuQ2xiQto+3ySGMp2oNE1W7f
Score

1^/10
behavioral11 behavioral12
- Target
  
  KMS Tools Portable/data1.bin
- Size
  
  57.2MB
- MD5
  
  368cd11b5e8ab53da5cb2e4dfdcacd25
- SHA1
  
  e449f3caefcb0ac728e479879915c9747daa5d3e
- SHA256
  
  30bddd0af7c248a4ee44fda40cffc6df9466f1b82bfe3b4ceacf8a048b4f7e5f
- SHA512
  
  29496a92c957b950e9a8f2a8f1cb3945fcd9c0b938f8f3e2f05184c48db15c0306beff5ab076a127200214adb242c8197e2c3c86e6812e88590ba292624c29f0
- SSDEEP
  
  1572864:TgB265B3xdJEdmWagkncpMXu3Yr56hfzHNFJUH:TgB2659DiafncpMXu3+6BztF
Score

7^/10
- Deletes itself
behavioral13 behavioral14
- Target
  
  KMS Tools Portable/readme.txt
- Size
  
  1KB
- MD5
  
  6a8add8404affacfa84bf4100825bb9c
- SHA1
  
  1527fdf25632cf6a12b9c16bf5f6e7642758fe95
- SHA256
  
  4dca3b1af4bdf8498c635775e5020b49b945c89bc0022b08882f5bcf5cb41a98
- SHA512
  
  d40c65cd4eee46ca5e5a113430dd5adaecfe39ec8f030e75f3f147fb36ffaef6eebeff5abdefcb560878c02df68411ef2c579976f0632ff24748a99a6d64b04a
Score

1^/10
behavioral15 behavioral16