General
-
Target
rroJTl.zip
-
Size
201.6MB
-
Sample
240330-22jftagg41
-
MD5
0bd238f10218f7cfb855fec2acd3a2c1
-
SHA1
1509bb460ac4e1f3bcc9a3688dce3633beebf0d1
-
SHA256
6f78a9ec4dde9902a9eafe74d46d3807c1807323202ae51f54bf1c3874bbac77
-
SHA512
26c63d04eb9e505f4b52701a7e2923ad9d248bbd428c99e4e4270a9979952b0ff7b7ca3371c8cfe93244ec9c707d56e4e6f9ed6c3c8ef7c386bd2e377f006302
-
SSDEEP
6291456:f91XqV2KEJM5Gisbd6tk7yLdu155Gisbd6tk7yLdu1ksDQEjZ:f90HEJMMHqHI15MHqHI1ksDpjZ
Malware Config
Targets
-
-
Target
sss/Install/Del3.bat
-
Size
217B
-
MD5
fb369c6af5023aff988430d0c66b7d53
-
SHA1
8c7395e08476c5b26a17acb1d0c6cff80bc4024a
-
SHA256
09d17906e4af64f008c7f0136ad1609467925bc5b9a2adf67c806b95fd7a7302
-
SHA512
419d97314c76ddfaf826ba4ecf52932e5f93c97d99b7286ab71477cef3d7c37cb91d6d7c528d4caca465e42a2471b7022259e969e8ca96c63c76f043ab425ed9
Score1/10 -
-
-
Target
sss/Install/Delete.bat
-
Size
73B
-
MD5
a7156985a69a520857d07818b2161bec
-
SHA1
4ca34541f48f4811aaba2a49d63a7b76bf7ba05e
-
SHA256
bb4810e0f1e95012705f20e78fdc63a57917a9f3d848520e4f3f2a7975dbdbe9
-
SHA512
5a46596f08a32b246573e24896b1407d4b747eef9722a45be20084d50939cf2d9417793e3a83e7edd91587cfbda1074a9ea7539a73b6f991b233210ca638247b
Score1/10 -
-
-
Target
sss/Install/del.bat
-
Size
315B
-
MD5
155557517f00f2afc5400ba9dc25308e
-
SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940
-
SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
-
SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
Score1/10 -
-
-
Target
sss/Install/smss.exe
-
Size
9.1MB
-
MD5
654ef0043a2140a9b4a3c3479fcc2c20
-
SHA1
2f04ce20503551c9e502aae447fe3e2323cb235a
-
SHA256
86d55ed79c6a468e2ca2950999307a3b6b0994b805583b1bda8302b2a48e580a
-
SHA512
fd920abc23347bf5633c9cfe74b707c528aca195bac54dd4e09cfd6e19a7dfc20a0d39dc1025e13387e5ae6b79bf83a95ccd6ffb142714ca7464ab5ca477e17d
-
SSDEEP
196608:3JVF1k+HVmf2uazME9UO8XF7uyR9phaku3PXmDKv5/XnYgdDc:3J31DHk2uazT9dCF7JtMkufXmDcYgVc
Score10/10-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
sss/RDPWinst.exe
-
Size
1.4MB
-
MD5
3288c284561055044c489567fd630ac2
-
SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7
-
SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
-
SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
-
SSDEEP
24576:prKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:EHZ5pdqYH8ia6GcKuR7
Score1/10 -
-
-
Target
sss/ReaItekHD/taskhost.exe
-
Size
21.7MB
-
MD5
b2ceb39a1dc0ed07e6e91ebc1131e6af
-
SHA1
bd5d9ca87727af82c0109d8fdd44fcd090a4302a
-
SHA256
7f29a1005a7c5c936791c1f9b2a6745286a01467fb15c94beaaf72ac959aee1e
-
SHA512
c8deb6c184e58fb27f2d760c8740af5a62c4182824e9b48607eb810fa95896c8bcdbf8d50c117f06a620b8f35c3eaa59a9376f8b8b9d27ca17a2b2f2047adb07
-
SSDEEP
393216:h/f16H6QzwnoD13bPmzcAWOzOutBzA6YG7E3VHEx8OdM8E4BQ4vqd0TEX:hV4SoD13bPmzcAWUA6rE3VHEx86MgKYQ
Score10/10-
Modifies visiblity of hidden/system files in Explorer
-
XMRig Miner payload
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
sss/ReaItekHD/taskhostw.exe
-
Size
28.1MB
-
MD5
dc1292c7fa973a334934340d6674e376
-
SHA1
82660001eeefec20cdfa4ce78f8db5e6968ce729
-
SHA256
fcc78017b47e6d12fc84a479bce14e27562e746d928ebe30bdb13cbc3cc8c2d1
-
SHA512
7fe20bc6ccd8e78036c5ab7517706f88e8d5ed4ed602515ad702d4db5a2271b44fd76fed5fd7bbf4cd47b5006cfb97772f01f6ead2b35af7ff10d7b9ec2c4a04
-
SSDEEP
786432:5Uv4WjB487BSaxifeu5K/P9D/puKTLAA+ecrJ:5UvbnoX5g/puKTczr
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Drops file in Drivers directory
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
sss/Windows Tasks Service/winserv.exe
-
Size
10.2MB
-
MD5
3f4f5a6cb95047fea6102bd7d2226aa9
-
SHA1
fc09dd898b6e7ff546e4a7517a715928fbafc297
-
SHA256
99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
-
SHA512
de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
-
SSDEEP
196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEo:i6UZcWWeVj4FZ
Score10/10-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
sss/WindowsTask/AMD.exe
-
Size
71.1MB
-
MD5
ac62edd743bc189fb5e31ef5843ac6a4
-
SHA1
1dc5950034991f72cae33f4bba1bc43e842ee08c
-
SHA256
7411902ba3632eb8c449486f61ee1b556520aca7f3ae5229d81d6b263c733fcb
-
SHA512
04c607b3ccdaf0509d876993b5a539a12f701654d8d551cd35075583529455c5ee395b52a11073d4705c2d4ac759a5cd8d26ef08e4540de351ad79d93560ce84
-
SSDEEP
1572864:ScsepK5+vi1e6yQIZpLYz5F5SghrbD+uz9uY2hyM0FLq/qlmHt0rwBIGtrU9eIq2:DsOK5+K1erXkz5LXbyU9uZYM0lqPlvtS
Score1/10 -
-
-
Target
sss/WindowsTask/AppModule.exe
-
Size
71.1MB
-
MD5
ac62edd743bc189fb5e31ef5843ac6a4
-
SHA1
1dc5950034991f72cae33f4bba1bc43e842ee08c
-
SHA256
7411902ba3632eb8c449486f61ee1b556520aca7f3ae5229d81d6b263c733fcb
-
SHA512
04c607b3ccdaf0509d876993b5a539a12f701654d8d551cd35075583529455c5ee395b52a11073d4705c2d4ac759a5cd8d26ef08e4540de351ad79d93560ce84
-
SSDEEP
1572864:ScsepK5+vi1e6yQIZpLYz5F5SghrbD+uz9uY2hyM0FLq/qlmHt0rwBIGtrU9eIq2:DsOK5+K1erXkz5LXbyU9uZYM0lqPlvtS
Score1/10 -
-
-
Target
sss/WindowsTask/MicrosoftHost.exe
-
Size
5.2MB
-
MD5
e8ffe812b5a2d068d85ca363b3517c32
-
SHA1
a12dd68e7cb09bfcf08a3c61162230f92fd74f55
-
SHA256
55bb09f52b39deb0de2a2ec4bd05624ac4de1b6a7a576cc9ac0eaf6342aebb1d
-
SHA512
6b14d3d649e077c0a099de43683939405cefb058398fed2ebcd9a952066413f82f3e4a7a9722141cf86927702deeea1604cb2fc90d2ea5935241e19d523e5a56
-
SSDEEP
98304:ZiX2isksvJauI4D1ckKOpLryp1JAX+uI2+lQomLWtYmpi6Quao7bbeC6q:eskxp7M+B2QHmbmpi6/p3eC6q
Score1/10 -
-
-
Target
sss/WindowsTask/WinRing0x64.sys
-
Size
14KB
-
MD5
0c0195c48b6b8582fa6f6373032118da
-
SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299
-
SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
-
SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
SSDEEP
192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
Score1/10 -
-
-
Target
sss/WindowsTask/audiodg.exe
-
Size
7.1MB
-
MD5
bcbb6f2d561ea3b6cd8f3cfc13486b9e
-
SHA1
52bb4b2d2484f4b2caee8acedfed50e7a4e928e6
-
SHA256
31fcc864de2e72799529a54ab9f7881f99d09100d240b71cd833836f404544c0
-
SHA512
4ade8219aefa089f424152cc4cecad0d988265f3004456963ac7975171c7a7b4f913dca54e55efd641cc0974ff3e1af052148b990e885c28a54c258070146d38
-
SSDEEP
98304:uTGpmHej51BpYSFN0jCGdnd879RSTvRICGUQlZabx6+PbVdcfC3EUhJ8n4o:EGsHaFpYSQ3dCRSbRPtQe16+PvcfConJ
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
sss/WindowsTask/winlogon.bat
-
Size
134B
-
MD5
4b09f42752d782958f48e3a4094fb235
-
SHA1
699cda02f1d20d720d3a24ab23c0700aee8f052e
-
SHA256
39128f3f6e8910fc7766da7eb80e5bea6b1c32cbd47ac6d1c7b60ee11d088ba9
-
SHA512
621532f1aee46a5bbe691a153092e721f36af827554b7211f34e56c0531a4c73569805d9d7ab86e571daed60966201bbdfcf8553a320f0c7da471096c0004542
Score1/10 -
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Defense Evasion
Virtualization/Sandbox Evasion
4Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1File and Directory Permissions Modification
1