rms

Sharing

Copy URL

Twitter E-mail

General

Target

Setup-pass-2024.zip
Size

220.1MB
Sample

240826-v3yhssxfkn
MD5

f73bb44e4944afb407cc3843320434d8
SHA1

c8187c06e01480fb2382bb856975101bb14a5032
SHA256

a6ab044f563c8d5b1cf0a90131ee3e0e77b86f2a5d64dfb4fb22ffceed927187
SHA512

21df11d0e65024fa372117bafff21c0cd9dd26358cd86fa7cfdb77cdc11d5066bf4eaf86c4e88013728e43fb3cf000365c2523ebc8318ffe5041608465676655
SSDEEP

6291456:a7qG9tjc8rpXd9atdyGcVYxgrVPIBhLme7bmpaK7vPWCYYJ:a7qwVpXLrWO2BVNivl

Score

10^/10

Malware Config

Targets

- Target
  
  Setup-pass-2024/Setup.exe
- Size
  
  4.2MB
- MD5
  
  320e2e055e06df0aca09643116b3ef89
- SHA1
  
  cfc8e9f6140a9b04f8a3b240bbace0ec845a3196
- SHA256
  
  838f122a6e751fb3ffd45c48ea86374b0938ac70ffb6e05b1715f2de1f9bb04e
- SHA512
  
  5b40dcee0f08dd52cf9339197af1e19cbd99e576c8ece9eabefe4caf2fbfb11d95541035c1940c0017d1a020bfe9b14d5889d39610ee205809ab4b3982af34ae
- SSDEEP
  
  98304:t4mwM0MziYrBZUt8qxSiUIHrCPmYs3wP46U9Fu2DpECdko5M7gfYF:Wq0Wb0P6ILFW6uIEAE7g4
Score

10^/10

rms defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation rat themida trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies Windows Defender notification settings
  evasion trojan
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4
- Target
  
  Setup-pass-2024/data0.bin
- Size
  
  215.4MB
- MD5
  
  38bdb3bd2750ca072241925a597ce576
- SHA1
  
  06045b51bc40ca8379ad17528b07b361818f9d92
- SHA256
  
  23e498c4034d6c072dfc451550972a99b2c7f313f8e2aba2d1cd0804e6e76b6f
- SHA512
  
  31ed4aa225f28ca1ad037438556607b07c3aac42df4b8c74293d9989e27daa84f58a78299ab9583a92842183770b2461bdfb9c49e1a040d1a3621bd154f3e522
- SSDEEP
  
  6291456:yJb4T8zKsfV47DGFnjMf28iHLn6CHizQbWhTp4:ib4TsK6i3yQeTH7jHizQITp4
Score

3^/10

discovery
behavioral5 behavioral6 behavioral7 behavioral8