rms

Sharing

Copy URL

Twitter E-mail

General

Target

3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
Size

4.0MB
Sample

240506-khyyqaef9z
MD5

fb0674fb9aac68ea53ec651f88d182c4
SHA1

841e243b1b5f409fc1c7c8e8cd273b1db405e445
SHA256

3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
SHA512

c84467779c8c37ff6daf268707e4bdb9b6c1baa0a99cd8771f52d2a5bddbf9ea6f82fa83bf787d42fc41a02366ef08c10be9397c4fcd6ff1f9809df3c771bc12
SSDEEP

98304:C3dlA1MK9St7zGBYFXdou9kN98oVB0iPBziWI:Y6jJYFRaoiZS

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
files.000webhost.com
Port:
21
Username:
peg-top-hub

Targets

- Target
  
  3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
- Size
  
  4.0MB
- MD5
  
  fb0674fb9aac68ea53ec651f88d182c4
- SHA1
  
  841e243b1b5f409fc1c7c8e8cd273b1db405e445
- SHA256
  
  3d2c39385f1d4b1ab690c524091644f344dac8abc8249af9c8ac54d0b2d51b87
- SHA512
  
  c84467779c8c37ff6daf268707e4bdb9b6c1baa0a99cd8771f52d2a5bddbf9ea6f82fa83bf787d42fc41a02366ef08c10be9397c4fcd6ff1f9809df3c771bc12
- SSDEEP
  
  98304:C3dlA1MK9St7zGBYFXdou9kN98oVB0iPBziWI:Y6jJYFRaoiZS
Score

10^/10

rms persistence rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/INetC.dll
- Size
  
  21KB
- MD5
  
  2b342079303895c50af8040a91f30f71
- SHA1
  
  b11335e1cb8356d9c337cb89fe81d669a69de17e
- SHA256
  
  2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
- SHA512
  
  550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47
- SSDEEP
  
  384:KOoVVefeWsI7rsIquPLNN546o0Ac9khYLMkIX0+Gzyekv:4VVaeE7wIqyJN5i
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0063d48afe5a0cdc02833145667b6641
- SHA1
  
  e7eb614805d183ecb1127c62decb1a6be1b4f7a8
- SHA256
  
  ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
- SHA512
  
  71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
- SSDEEP
  
  192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  293165db1e46070410b4209519e67494
- SHA1
  
  777b96a4f74b6c34d43a4e7c7e656757d1c97f01
- SHA256
  
  49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
- SHA512
  
  97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
- SSDEEP
  
  96:4BNbUVOFvfcxEAxxxJzxLp+eELeoMEskzYzeHd0+uoyVeNSsX4:EUVOFvf9ABJFHE+FkEad0PLVeN
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/nsisFirewall.dll
- Size
  
  8KB
- MD5
  
  69f2e8c6fd141e9e720b2c4c366a8154
- SHA1
  
  a6279d93a102b6d7608dced32a36ddcd3e51994c
- SHA256
  
  2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
- SHA512
  
  bf23a5f3ce98e6a1c04fe8ae6b6f385483ceed62470cd109017c97f37c23adbf0203bfb43d09b007c6925aeb5da9617f33bc5c478618f00cc91da83a48cacaf2
- SSDEEP
  
  96:KCQjg8aCpUcmloiwmXaYY8NVxIYn69TEdUc1ND0RrXQAcuAtoFrJxalMu2k:KCQPeip58NjMNWND0RrXYuAWkM
Score

3^/10
behavioral10 behavioral9
- Target
  
  $PLUGINSDIR/registry.dll
- Size
  
  24KB
- MD5
  
  2b7007ed0262ca02ef69d8990815cbeb
- SHA1
  
  2eabe4f755213666dbbbde024a5235ddde02b47f
- SHA256
  
  0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
- SHA512
  
  aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca
- SSDEEP
  
  384:W2mvyNjH3rPnAZ4wu2QbnC7qB7PnrvScaeYA4CIDEge/QqL2AQ:/75w/OfrzB4CUxuQfA
Score

3^/10
behavioral11 behavioral12
- Target
  
  Lucasrt.exe
- Size
  
  11.2MB
- MD5
  
  51ffec7d16d89f59784e7cfad795df3c
- SHA1
  
  1c0a5ad4fd9c74f829b63e7b8bfe897120d24f00
- SHA256
  
  dae52d89f6b61329c806fd90b0e13fc3c3cf2cb5761b50321039b838ac0bc343
- SHA512
  
  5936e9d854c070e5d3ff8b31937729574a3d6cf69967558d8e6dc0096c720e44df0d59bf5ab419b73c44909d3e04f9b8da47f64c960ac338ff5e73f8749bba5d
- SSDEEP
  
  98304:G6OwlI2RKvm132+y6gu70DNGyTuM+62wkYePy45CZGXPI+3ZYOx5+to:66fRKvm13Tyw0DNw7CZGg+Jvx5Wo
Score

10^/10

rms rat trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral13 behavioral14
- Target
  
  libeay32.dll
- Size
  
  1.3MB
- MD5
  
  4cb2e1b9294ddae1bf7dcaaf42b365d1
- SHA1
  
  a225f53a8403d9b73d77bcbb075194520cce5a14
- SHA256
  
  a8124500cae0aba3411428c2c6df2762ea11cc11c312abed415d3f3667eb6884
- SHA512
  
  46cf4abf9121c865c725ca159df71066e0662595915d653914e4ec047f94e2ab3823f85c9e0e0c1311304c460c90224bd3141da62091c733dcaa5dccf64c04bb
- SSDEEP
  
  24576:VD8B+KpPexB6mqwktXUcAVEaFQXhL0porIqo+Frzba:WKkmlktXUcAVEDhQporIqo+Frzba
Score

1^/10
behavioral15 behavioral16
- Target
  
  ssleay32.dll
- Size
  
  337KB
- MD5
  
  5c268ca919854fc22d85f916d102ee7f
- SHA1
  
  0957cf86e0334673eb45945985b5c033b412be0e
- SHA256
  
  1f4b3efc919af1106f348662ee9ad95ab019058ff502e3d68e1b5f7abff91b56
- SHA512
  
  76d0abad1d7d0856ec1b8e598b05a2a6eece220ea39d74e7f6278a4219e22c75b7f618160ce41810daa57d5d4d534afd78f5cc1bd6de927dbb6a551aca2f8310
- SSDEEP
  
  6144:8EXfWSXFKIsrpivdM+kPsmWak8dfthPDP0wrE90k7DUT/NaDB7JlwScihgbX5/GU:8EXfWSVKIsrpivdM+msmWak8dfnPDPPz
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Manipulates Digital Signatures

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

RMS

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18