rms | 393b4de1154e2b1164c0db18643ed0accc95efe44687cd41af730422ed6bbccf | Triage

Submit
Reports

Overview

overview

Static

static

3

Winlock Bu....0.exe

windows7-x64

Winlock Bu....0.exe

windows10-2004-x64

Sharing

General

Target

Winlock Builder v5.0.exe
Size

7.5MB
Sample

231012-g4ce3abh9y
MD5

182593310607f0f7b47ad80cbf5fbe74
SHA1

f74bdec42f5bb2dbbde3898e9e0bc2d16eb0fe99
SHA256

393b4de1154e2b1164c0db18643ed0accc95efe44687cd41af730422ed6bbccf
SHA512

dfb88e5b7de63e4a79df542c4d47f7d5b288e0f88fbe30d59284d8f275acb29bb93c776edc16c649a1daf511ffb302980ee19175c9f4ee4aae38db679dcc71e8
SSDEEP

196608:V7iFSsOfzkZj1Cwx8fMZYe+1ClL4oQ0utRkNk:V7Rza1dxAMZmVdtWNk

Score

10^/10

rms discovery evasion persistence rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Winlock Builder v5.0.exe

Resource

win7-20230831-en

rms discovery evasion persistence rat trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

Winlock Builder v5.0.exe

Resource

win10v2004-20230915-en

rms discovery evasion persistence rat trojan

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Targets

- Target
  
  Winlock Builder v5.0.exe
- Size
  
  7.5MB
- MD5
  
  182593310607f0f7b47ad80cbf5fbe74
- SHA1
  
  f74bdec42f5bb2dbbde3898e9e0bc2d16eb0fe99
- SHA256
  
  393b4de1154e2b1164c0db18643ed0accc95efe44687cd41af730422ed6bbccf
- SHA512
  
  dfb88e5b7de63e4a79df542c4d47f7d5b288e0f88fbe30d59284d8f275acb29bb93c776edc16c649a1daf511ffb302980ee19175c9f4ee4aae38db679dcc71e8
- SSDEEP
  
  196608:V7iFSsOfzkZj1Cwx8fMZYe+1ClL4oQ0utRkNk:V7Rza1dxAMZmVdtWNk
Score

10^/10

rms discovery evasion persistence rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- UAC bypass
  evasion trojan
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rmsdiscoveryevasionpersistencerattrojan

behavioral2

rmsdiscoveryevasionpersistencerattrojan

© 2018-2024

Terms | Privacy