rms

General

Target

download_5fdg452d.torrent
Size

24KB
Sample

240505-g85x6sda98
MD5

41b7c70f3cebabf238b279a98a0fb058
SHA1

a57954251390912948907589940ffae483ea1392
SHA256

236abc9e419388c8554fc3d8a0e1fc20dfbf54955052839cddcce7c3fe26834d
SHA512

9ca1643903964b0dd2738f7d85a47d67e05ebb0f2cf97be031fb7cb4b56952d299e87aabe03fdfe9440364195c6adefca23fd955f24e7d026b9b2a8fbc27e763
SSDEEP

768:hmnjxv7cx9MLA0BQf5AlIjTBS44JyVkFNvb0odbi:kR7cx9EufulZ4Omode

Score

10^/10

Malware Config

Targets

- Target
  
  download_5fdg452d.torrent
- Size
  
  24KB
- MD5
  
  41b7c70f3cebabf238b279a98a0fb058
- SHA1
  
  a57954251390912948907589940ffae483ea1392
- SHA256
  
  236abc9e419388c8554fc3d8a0e1fc20dfbf54955052839cddcce7c3fe26834d
- SHA512
  
  9ca1643903964b0dd2738f7d85a47d67e05ebb0f2cf97be031fb7cb4b56952d299e87aabe03fdfe9440364195c6adefca23fd955f24e7d026b9b2a8fbc27e763
- SSDEEP
  
  768:hmnjxv7cx9MLA0BQf5AlIjTBS44JyVkFNvb0odbi:kR7cx9EufulZ4Omode
Score

10^/10

rms discovery evasion execution persistence rat themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies Windows Defender notification settings
  evasion trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Contacts a large (2512) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2