rms | c2bc915e8d7cd7db85562825fd911a3cb2c72e7e846edde152c18d6e236f6ed8

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe
Size

13.4MB
MD5

7fc38f5d43fe8f667cdeb77271f1a63c
SHA1

b2e560e020f5902792dc2ea5cf16df30c60bf93a
SHA256

c2bc915e8d7cd7db85562825fd911a3cb2c72e7e846edde152c18d6e236f6ed8
SHA512

b591467372ff3a3a044daea47ae491936d091ecdd91a22a0fcfbfd949b7bb044d589f7f54f7fbbedaddc8a5ac5b0aaa62e849618034c9b22dfb10b52e051d6d2
SSDEEP

196608:svN0dTdMShx5GBzSSEGdIBCFucTCreKQay7x2FV3cuvsZIC192LDXz68buR:eaBTmHIBwHL7x2FV32l92/XzhuR

Score

10^/10

rms rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exerfusclient.exerutserv.exerfusclient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rfusclient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rutserv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rfusclient.exe

Executes dropped EXE 4 IoCs

Processes:

rfusclient.exerutserv.exerutserv.exerfusclient.exe

pid	Process
2712	rfusclient.exe
3428	rutserv.exe
736	rutserv.exe
2016	rfusclient.exe

Loads dropped DLL 4 IoCs

Processes:

rutserv.exerutserv.exe

pid	Process
3428	rutserv.exe
3428	rutserv.exe
736	rutserv.exe
736	rutserv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rutserv.exerutserv.exe

pid	Process
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rutserv.exerutserv.exe

description	pid	Process
Token: SeDebugPrivilege	3428	rutserv.exe
Token: SeTakeOwnershipPrivilege	736	rutserv.exe
Token: SeTcbPrivilege	736	rutserv.exe
Token: SeTcbPrivilege	736	rutserv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rfusclient.exe

pid	Process
2016	rfusclient.exe
2016	rfusclient.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

rfusclient.exe

pid	Process
2016	rfusclient.exe
2016	rfusclient.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

rutserv.exerutserv.exe

pid	Process
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
3428	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe
736	rutserv.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exerfusclient.exerutserv.exe

description	pid	Process	procid_target
PID 404 wrote to memory of 2712	404	ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe	89
PID 404 wrote to memory of 2712	404	ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe	89
PID 404 wrote to memory of 2712	404	ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe	89
PID 2712 wrote to memory of 3428	2712	rfusclient.exe	94
PID 2712 wrote to memory of 3428	2712	rfusclient.exe	94
PID 2712 wrote to memory of 3428	2712	rfusclient.exe	94
PID 736 wrote to memory of 2016	736	rutserv.exe	102
PID 736 wrote to memory of 2016	736	rutserv.exe	102
PID 736 wrote to memory of 2016	736	rutserv.exe	102

C:\Users\Admin\AppData\Local\Temp\ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe
"C:\Users\Admin\AppData\Local\Temp\ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rfusclient.exe
  "C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rfusclient.exe" -run_agent
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rutserv.exe
    "C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rutserv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3428
  - - C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rutserv.exe
      "C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rutserv.exe" -second
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:736
    - - C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rfusclient.exe
        
        "C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rfusclient.exe" /tray /user
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\EULA.rtf

Filesize
114KB

MD5
c3d7db3461db0dbb8a1d2a937b1d6252

SHA1
35fafe6c6812f20454c709b0a43a21bf7e9f66bf

SHA256
cf8e39ce145e36d672cb2a140b3f33e0a1337975d7840e1d6a1920ce560bba46

SHA512
9759895e5d4f289e6227f65f46b24ad7f2607443bebd9b039f1cf42bd74c986a597d5de4bef70510c4463874a01695ca2f7ccbd231d6ef5316250d7492c48675

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\English.lg

Filesize
58KB

MD5
246286feb0ed55eaf4251e256d2fe47e

SHA1
bc76b013918e4c1bd6dff44708a760496d8c717c

SHA256
64c70065830cc623be55c73a940aa3da57c134ee459afbd983ff17960dc57c27

SHA512
900e670259fb3b5762c0242236ce86fcdd04300407fc4d79959edfed99bbec58b4e10048a2b9ef54e709d00717870bf09c7b5fb2f5fa3cfe844682d2bb36f12f

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\Russian.lg

Filesize
64KB

MD5
ff01d823419a6c243257aedfba479030

SHA1
00d307827b42c4ca7180c52f2f79000bfc274cd3

SHA256
b4fb1ae9896834dae6f20a1d79ca07ce0d6096eff589e2b48f1a5464995e96c1

SHA512
768c5dc72ed3700795fc985f1ebe60906d738471b35aadfc542994d960ff3f4fe7d35b3ebd7134dc3e0e35d8e10ebec4c0f7a382c3741ef87de5783766ad7c6a

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\branding.ini

Filesize
424B

MD5
c15a34733ee9fda863f29b7fecb644b5

SHA1
6bac89ceea9cbc8853acfc591c12b8f955797760

SHA256
13d219b400a096de5fc6eef8bd00be1c9c934819bee64efde4d87fa7458d7762

SHA512
e9095137c130056ac444e137ef7e3daca2097850f87e3c7a5a6103993be9658d850488ea3223a91eac8ef7e901d289c28d078dcbadbda75957366513f93a0012

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\libeay32.dll

Filesize
1.3MB

MD5
4cb2e1b9294ddae1bf7dcaaf42b365d1

SHA1
a225f53a8403d9b73d77bcbb075194520cce5a14

SHA256
a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884

SHA512
46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\logo.png

Filesize
19KB

MD5
03baf00347abc3f74b729f93e2058a9f

SHA1
66d44177346c2e29e0ab88a03685a460b0f8ad17

SHA256
16cd765dab99345a23b49f20014a9e722462945be6cac1066e4e4e9d4a1ebb81

SHA512
0fbde857aa34e9e2dfb0f088e18b9ef6db6edb0ffdd9f09c197c9df51aa99a1c28d5d527adcdc47bf39b9322bd03cc9ed2f24bdfd006a61b0dee13f10c1c5975

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rfusclient.exe

Filesize
6.3MB

MD5
cc0e82ce66ebf0f5fd7fe222731aa7d6

SHA1
e8e33ff4e0c6768add1ebb8faee3ac86351a20c5

SHA256
d284ddda27eb89d873286e8d72e6613ee01c9c799d6532733a81c383143242ec

SHA512
374ac7a867a7f646570eea65198675ce946b54904dc8262f479009c2cf732ecb3fb20b3bfc61a80f4bda9bdda24d76c76423a345da33cc9c0206b33bb7013637

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\rutserv.exe

Filesize
12.5MB

MD5
c13556a6c7ea9539becff13e11c22586

SHA1
c4780408f3ea282d66ed1cfec12e3b4326e94664

SHA256
d811dd3978dc7ef94aaf7256c342a56c1b39627332a559d900c3ea4879fd0cbd

SHA512
90c883907cddb077bfa07119bdfcdd5bf40298bcdadf787d85e3ed7edd9473b5da7c256c403d79d9b4ec3396fba4183cd9270cabf74e1d94bb9759b8d48144a3

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\settings.dat

Filesize
1KB

MD5
21c00d0d153fe3926feb34a37b46cd2e

SHA1
b3e51cd8a5aa456ee92d095cec48ebd58bbd1ae9

SHA256
42b819c121cebec6160ac5b13ffb8cddd63d1d1f43a8abaa3878062fd2b130ab

SHA512
3e1732dedc97385babd1de5b950f59a8ce91f1cd83a568c6171e510dd271f6546fa7d84128c96bccbade40c9c8f0d2870a1aa0df6837a4432accff3f731ad66a

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\ssleay32.dll

Filesize
337KB

MD5
5c268ca919854fc22d85f916d102ee7f

SHA1
0957cf86e0334673eb45945985b5c033b412be0e

SHA256
1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56

SHA512
76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\vp8decoder.dll

Filesize
380KB

MD5
1ea62293ac757a0c2b64e632f30db636

SHA1
8c8ac6f8f28f432a514c3a43ea50c90daf66bfba

SHA256
970cb3e00fa68daec266cd0aa6149d3604cb696853772f20ad67555a2114d5df

SHA512
857872a260cd590bd533b5d72e6e830bb0e4e037cb6749bb7d6e1239297f21606cdbe4a0fb1492cdead6f46c88dd9eb6fab5c6e17029f7df5231cefc21fa35ab

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\vp8encoder.dll

Filesize
1.6MB

MD5
89770647609ac26c1bbd9cf6ed50954e

SHA1
349eed120070bab7e96272697b39e786423ac1d3

SHA256
7b4fc8e104914cdd6a7bf3f05c0d7197cfcd30a741cc0856155f2c74e62005a4

SHA512
a98688f1c80ca79ee8d15d680a61420ffb49f55607fa25711925735d0e8dbc21f3b13d470f22e0829c72a66a798eee163411b2f078113ad8153eed98ef37a2cc

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\webmmux.dll

Filesize
260KB

MD5
d29f7070ee379544aeb19913621c88e6

SHA1
499dcdb39862fd8ff5cbc4b13da9c465bfd5f4be

SHA256
654f43108fbd56bd2a3c5a3a74a2ff3f19ea9e670613b92a624e86747a496caf

SHA512
4ead1c8e0d33f2a6c35163c42e8f0630954de67e63bcadca003691635ccf8bfe709363ec88edb387b956535fdb476bc0b5773ede5b19cacf4858fb50072bbef5

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\webmvorbisdecoder.dll

Filesize
365KB

MD5
7a9eeac3ceaf7f95f44eb5c57b4db2e3

SHA1
be1048c254aa3114358f76d08c55667c4bf2d382

SHA256
b497d07ed995b16d1146209158d3b90d85c47a643fbf25a5158b26d75c478c88

SHA512
b68fa132c3588637d62a1c2bce8f8acc78e6e2f904a53644d732dc0f4e4fbc61a2829a1ac8f6b97fe4be4f3613ef92c43e6f2ab29c6abd968acc5acd635c990d

Download Submit
C:\Users\Admin\AppData\Roaming\RMS Agent\69105\699DE852C7\webmvorbisencoder.dll

Filesize
860KB

MD5
5308b9945e348fbe3a480be06885434c

SHA1
5c3cb39686cca3e9586e4b405fc8e1853caaf8ff

SHA256
9dc30fb2118aad48f6a5e0a82504f365fe40abb3134f6cceeb65859f61ad939a

SHA512
4d7f08dc738a944bcee9b013b13d595e9c913b248c42a6c095cbdfc6059da7f04cca935841ff8a43687b75bdc5af05e888241e52ef594aa752ba9425cf966412

Download Submit
memory/404-0-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/404-77-0x0000000000400000-0x00000000011EE000-memory.dmp

Filesize
13.9MB

Download
memory/404-86-0x0000000000400000-0x00000000011EE000-memory.dmp

Filesize
13.9MB

Download
memory/736-117-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/736-146-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-171-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-166-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-163-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-160-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-100-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/736-111-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/736-113-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/736-116-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/736-157-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-151-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-119-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/736-120-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/736-121-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/736-122-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/736-126-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/736-127-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/736-131-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/736-132-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/736-134-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/736-136-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-149-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-143-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/736-140-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/2016-118-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2016-138-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/2016-144-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2016-141-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2016-147-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2016-137-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2016-150-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2712-90-0x0000000000400000-0x0000000000AD6000-memory.dmp

Filesize
6.8MB

Download
memory/2712-87-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/3428-99-0x0000000000400000-0x0000000001121000-memory.dmp

Filesize
13.1MB

Download
memory/3428-97-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3428-96-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3428-91-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download