rms

Sharing

Copy URL

Twitter E-mail

General

Target

rroJTl.zip
Size

201.6MB
Sample

240330-22jftagg41
MD5

0bd238f10218f7cfb855fec2acd3a2c1
SHA1

1509bb460ac4e1f3bcc9a3688dce3633beebf0d1
SHA256

6f78a9ec4dde9902a9eafe74d46d3807c1807323202ae51f54bf1c3874bbac77
SHA512

26c63d04eb9e505f4b52701a7e2923ad9d248bbd428c99e4e4270a9979952b0ff7b7ca3371c8cfe93244ec9c707d56e4e6f9ed6c3c8ef7c386bd2e377f006302
SSDEEP

6291456:f91XqV2KEJM5Gisbd6tk7yLdu155Gisbd6tk7yLdu1ksDQEjZ:f90HEJMMHqHI15MHqHI1ksDpjZ

Score

10^/10

Malware Config

Targets

- Target
  
  sss/Install/Del3.bat
- Size
  
  217B
- MD5
  
  fb369c6af5023aff988430d0c66b7d53
- SHA1
  
  8c7395e08476c5b26a17acb1d0c6cff80bc4024a
- SHA256
  
  09d17906e4af64f008c7f0136ad1609467925bc5b9a2adf67c806b95fd7a7302
- SHA512
  
  419d97314c76ddfaf826ba4ecf52932e5f93c97d99b7286ab71477cef3d7c37cb91d6d7c528d4caca465e42a2471b7022259e969e8ca96c63c76f043ab425ed9
Score

1^/10
behavioral1 behavioral2
- Target
  
  sss/Install/Delete.bat
- Size
  
  73B
- MD5
  
  a7156985a69a520857d07818b2161bec
- SHA1
  
  4ca34541f48f4811aaba2a49d63a7b76bf7ba05e
- SHA256
  
  bb4810e0f1e95012705f20e78fdc63a57917a9f3d848520e4f3f2a7975dbdbe9
- SHA512
  
  5a46596f08a32b246573e24896b1407d4b747eef9722a45be20084d50939cf2d9417793e3a83e7edd91587cfbda1074a9ea7539a73b6f991b233210ca638247b
Score

1^/10
behavioral3 behavioral4
- Target
  
  sss/Install/del.bat
- Size
  
  315B
- MD5
  
  155557517f00f2afc5400ba9dc25308e
- SHA1
  
  77a53a8ae146cf1ade1c9d55bbd862cbeb6db940
- SHA256
  
  f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e
- SHA512
  
  40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32
Score

1^/10
behavioral5 behavioral6
- Target
  
  sss/Install/smss.exe
- Size
  
  9.1MB
- MD5
  
  654ef0043a2140a9b4a3c3479fcc2c20
- SHA1
  
  2f04ce20503551c9e502aae447fe3e2323cb235a
- SHA256
  
  86d55ed79c6a468e2ca2950999307a3b6b0994b805583b1bda8302b2a48e580a
- SHA512
  
  fd920abc23347bf5633c9cfe74b707c528aca195bac54dd4e09cfd6e19a7dfc20a0d39dc1025e13387e5ae6b79bf83a95ccd6ffb142714ca7464ab5ca477e17d
- SSDEEP
  
  196608:3JVF1k+HVmf2uazME9UO8XF7uyR9phaku3PXmDKv5/XnYgdDc:3J31DHk2uazT9dCF7JtMkufXmDcYgVc
Score

10^/10

rms evasion persistence rat themida trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  sss/RDPWinst.exe
- Size
  
  1.4MB
- MD5
  
  3288c284561055044c489567fd630ac2
- SHA1
  
  11ffeabbe42159e1365aa82463d8690c845ce7b7
- SHA256
  
  ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753
- SHA512
  
  c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02
- SSDEEP
  
  24576:prKxoVT2iXc+IZ++6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:EHZ5pdqYH8ia6GcKuR7
Score

1^/10
behavioral10 behavioral9
- Target
  
  sss/ReaItekHD/taskhost.exe
- Size
  
  21.7MB
- MD5
  
  b2ceb39a1dc0ed07e6e91ebc1131e6af
- SHA1
  
  bd5d9ca87727af82c0109d8fdd44fcd090a4302a
- SHA256
  
  7f29a1005a7c5c936791c1f9b2a6745286a01467fb15c94beaaf72ac959aee1e
- SHA512
  
  c8deb6c184e58fb27f2d760c8740af5a62c4182824e9b48607eb810fa95896c8bcdbf8d50c117f06a620b8f35c3eaa59a9376f8b8b9d27ca17a2b2f2047adb07
- SSDEEP
  
  393216:h/f16H6QzwnoD13bPmzcAWOzOutBzA6YG7E3VHEx8OdM8E4BQ4vqd0TEX:hV4SoD13bPmzcAWUA6rE3VHEx86MgKYQ
Score

10^/10

xmrig discovery evasion miner themida trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- XMRig Miner payload
  miner
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  sss/ReaItekHD/taskhostw.exe
- Size
  
  28.1MB
- MD5
  
  dc1292c7fa973a334934340d6674e376
- SHA1
  
  82660001eeefec20cdfa4ce78f8db5e6968ce729
- SHA256
  
  fcc78017b47e6d12fc84a479bce14e27562e746d928ebe30bdb13cbc3cc8c2d1
- SHA512
  
  7fe20bc6ccd8e78036c5ab7517706f88e8d5ed4ed602515ad702d4db5a2271b44fd76fed5fd7bbf4cd47b5006cfb97772f01f6ead2b35af7ff10d7b9ec2c4a04
- SSDEEP
  
  786432:5Uv4WjB487BSaxifeu5K/P9D/puKTLAA+ecrJ:5UvbnoX5g/puKTczr
Score

9^/10

evasion persistence themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Drops file in Drivers directory
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral13 behavioral14
- Target
  
  sss/Windows Tasks Service/winserv.exe
- Size
  
  10.2MB
- MD5
  
  3f4f5a6cb95047fea6102bd7d2226aa9
- SHA1
  
  fc09dd898b6e7ff546e4a7517a715928fbafc297
- SHA256
  
  99fd9e75e6241eff30e01c5b59df9e901fb24d12bee89c069cc6158f78b3cc98
- SHA512
  
  de5c8155f426a4e55953ae85410c7d9ad84f5643c30865fc036d1270310e28754772bd0f3093444a16ef0c1fa3db6c56301746fb5e7f03ce692bfdad0c4fb688
- SSDEEP
  
  196608:iz+UZcWP4jBrfWgEgIV8Rzy7Vj4FZvEo:i6UZcWWeVj4FZ
Score

10^/10

rms rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral15 behavioral16
- Target
  
  sss/WindowsTask/AMD.exe
- Size
  
  71.1MB
- MD5
  
  ac62edd743bc189fb5e31ef5843ac6a4
- SHA1
  
  1dc5950034991f72cae33f4bba1bc43e842ee08c
- SHA256
  
  7411902ba3632eb8c449486f61ee1b556520aca7f3ae5229d81d6b263c733fcb
- SHA512
  
  04c607b3ccdaf0509d876993b5a539a12f701654d8d551cd35075583529455c5ee395b52a11073d4705c2d4ac759a5cd8d26ef08e4540de351ad79d93560ce84
- SSDEEP
  
  1572864:ScsepK5+vi1e6yQIZpLYz5F5SghrbD+uz9uY2hyM0FLq/qlmHt0rwBIGtrU9eIq2:DsOK5+K1erXkz5LXbyU9uZYM0lqPlvtS
Score

1^/10
behavioral17 behavioral18
- Target
  
  sss/WindowsTask/AppModule.exe
- Size
  
  71.1MB
- MD5
  
  ac62edd743bc189fb5e31ef5843ac6a4
- SHA1
  
  1dc5950034991f72cae33f4bba1bc43e842ee08c
- SHA256
  
  7411902ba3632eb8c449486f61ee1b556520aca7f3ae5229d81d6b263c733fcb
- SHA512
  
  04c607b3ccdaf0509d876993b5a539a12f701654d8d551cd35075583529455c5ee395b52a11073d4705c2d4ac759a5cd8d26ef08e4540de351ad79d93560ce84
- SSDEEP
  
  1572864:ScsepK5+vi1e6yQIZpLYz5F5SghrbD+uz9uY2hyM0FLq/qlmHt0rwBIGtrU9eIq2:DsOK5+K1erXkz5LXbyU9uZYM0lqPlvtS
Score

1^/10
behavioral19 behavioral20
- Target
  
  sss/WindowsTask/MicrosoftHost.exe
- Size
  
  5.2MB
- MD5
  
  e8ffe812b5a2d068d85ca363b3517c32
- SHA1
  
  a12dd68e7cb09bfcf08a3c61162230f92fd74f55
- SHA256
  
  55bb09f52b39deb0de2a2ec4bd05624ac4de1b6a7a576cc9ac0eaf6342aebb1d
- SHA512
  
  6b14d3d649e077c0a099de43683939405cefb058398fed2ebcd9a952066413f82f3e4a7a9722141cf86927702deeea1604cb2fc90d2ea5935241e19d523e5a56
- SSDEEP
  
  98304:ZiX2isksvJauI4D1ckKOpLryp1JAX+uI2+lQomLWtYmpi6Quao7bbeC6q:eskxp7M+B2QHmbmpi6/p3eC6q
Score

1^/10
behavioral21 behavioral22
- Target
  
  sss/WindowsTask/WinRing0x64.sys
- Size
  
  14KB
- MD5
  
  0c0195c48b6b8582fa6f6373032118da
- SHA1
  
  d25340ae8e92a6d29f599fef426a2bc1b5217299
- SHA256
  
  11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
- SHA512
  
  ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
- SSDEEP
  
  192:nqjKhp+GQvzj3i+5T9oGYJh1wAoxhSF6OOoe068jSJUbueq1H2PIP0:qjKL+v/y+5TWGYOf2OJ06dUb+pQ
Score

1^/10
behavioral23 behavioral24
- Target
  
  sss/WindowsTask/audiodg.exe
- Size
  
  7.1MB
- MD5
  
  bcbb6f2d561ea3b6cd8f3cfc13486b9e
- SHA1
  
  52bb4b2d2484f4b2caee8acedfed50e7a4e928e6
- SHA256
  
  31fcc864de2e72799529a54ab9f7881f99d09100d240b71cd833836f404544c0
- SHA512
  
  4ade8219aefa089f424152cc4cecad0d988265f3004456963ac7975171c7a7b4f913dca54e55efd641cc0974ff3e1af052148b990e885c28a54c258070146d38
- SSDEEP
  
  98304:uTGpmHej51BpYSFN0jCGdnd879RSTvRICGUQlZabx6+PbVdcfC3EUhJ8n4o:EGsHaFpYSQ3dCRSbRPtQe16+PvcfConJ
Score

9^/10

evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  sss/WindowsTask/winlogon.bat
- Size
  
  134B
- MD5
  
  4b09f42752d782958f48e3a4094fb235
- SHA1
  
  699cda02f1d20d720d3a24ab23c0700aee8f052e
- SHA256
  
  39128f3f6e8910fc7766da7eb80e5bea6b1c32cbd47ac6d1c7b60ee11d088ba9
- SHA512
  
  621532f1aee46a5bbe691a153092e721f36af827554b7211f34e56c0531a4c73569805d9d7ab86e571daed60966201bbdfcf8553a320f0c7da471096c0004542
Score

1^/10
behavioral27 behavioral28