URL:

rmansys.ru

Full analysis: https://app.any.run/tasks/768139ed-7658-4cf1-9cfd-38657d48db52
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: January 24, 2024, 06:58:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
rms
Indicators:
MD5:

FD1487D510F94AC232CC6220211F8A0A

SHA1:

15460A8FF54D0B436E74B4483CF85DCB76CDF712

SHA256:

5706224F1DFFAF93F800F31DA2429E84D6C288C873008A2DA7E1476B2EF43E22

SSDEEP:

3:lWcWjQn:lbWjQn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drop RMS (RAT) executable file

      • WinRAR.exe (PID: 3956)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • rutview.exe (PID: 3940)

    • Reads the Internet Settings

      • rutview.exe (PID: 3940)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 664)

    • The process uses the downloaded file

      • iexplore.exe (PID: 664)
      • WinRAR.exe (PID: 3956)

    • Reads the computer name

      • rutview.exe (PID: 3940)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3956)

    • Reads Windows Product ID

      • rutview.exe (PID: 3940)

    • Reads Environment values

      • rutview.exe (PID: 3940)

    • Reads the machine GUID from the registry

      • rutview.exe (PID: 3940)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3956)

    • Checks supported languages

      • rutview.exe (PID: 3940)

    • Process checks computer location settings

      • rutview.exe (PID: 3940)

    • Reads product name

      • rutview.exe (PID: 3940)

    • Create files in a temporary directory

      • rutview.exe (PID: 3940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe winrar.exe rutview.exe

Process information

PID
CMD
Path
Indicators
Parent process
452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:664 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
664"C:\Program Files\Internet Explorer\iexplore.exe" "rmansys.ru"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2876"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:664 CREDAT:2299149 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3344"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:664 CREDAT:3151117 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3940"C:\Users\admin\AppData\Local\Temp\Rar$EXa3956.22779\rms-viewer-portable\rutview.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3956.22779\rms-viewer-portable\rutview.exe
WinRAR.exe
User:
admin
Company:
TektonIT
Integrity Level:
MEDIUM
Description:
RMS
Exit code:
0
Version:
7.2.2.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3956.22779\rms-viewer-portable\rutview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\icmp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
3956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\rms-viewer-portable-7.2.2.0.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
38 640
Read events
38 453
Write events
181
Delete events
6

Modification events

(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(664) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
12
Suspicious files
58
Text files
57
Unknown types
0

Dropped files

PID
Process
Filename
Type
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\rms_blue-32[1].svgimage
MD5:82F207DB363374D36B23251865623053
SHA256:99959DD8F9B8E9BBFD460A8E7806553B2F956F2B19840331C1D5C9808142E550
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\US86LG0U.htmhtml
MD5:DC53DD08F9AF85FF54A31ABE0BB345FE
SHA256:760F00A6901C0235F2A004F0B5F2C15E7EE38543CD9E7C24D980F8D5BC63E6DD
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\f01a291ad337ae7a3c8cea5aa6a12489[1].csstext
MD5:1C3A1FA06FC09E645EDFFE7F9E9281F2
SHA256:F4D0037FB0216AB50E4606659735570A343E9B2B4707997C07149DA68616B884
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\libs.bundle[1].csstext
MD5:D9D7D0367134CFE1A1DC10CAB68D2D6E
SHA256:D9A2151E53649B339105DF261BBAB29EDA506498D1E59C8E2BB8C2D80C95E2E2
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\speed[1].svgimage
MD5:45AFCACE8A6E5046269E4BC5B95273DE
SHA256:A6819C599312355BE2559604035B70EF50FAEB307AF052BD4B12449472EE7349
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\theme.bundle[1].jstext
MD5:1A3B9B4E45BCEF5CA54E93550C6BD3B4
SHA256:DA2D93F7D106E421EC68AC7717AEA584355C01B687113272E2F1916F176806C1
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\security-shield[1].svgimage
MD5:C506629B5DC9C4DFE4D9AB5ED3DBAFE8
SHA256:5B8EBA6F1D659E3F14F128990455142FCA191BB90CC23CDC2C056683E954B3F7
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\vendor.bundle[1].jstext
MD5:C94DE3099C6F34A4EC1A6DD2065D8B49
SHA256:149235A83D4A97A840101EC4F8385EBD518FCA7A9DC2334DB23147150A2FD506
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\cloud[1].svgimage
MD5:FE60317A144E1DE6491C5ACE3E4FBBE5
SHA256:9FE124E21896EA518776CAA91149E0A4A01E07558F82E1359827E8987AEA1037
452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery-3.6.0.min[1].jstext
MD5:8FB8FEE4FCC3CC86FF6C724154C49C42
SHA256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
67
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/
unknown
html
12.6 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/landkit/assets/css/theme.bundle.css
unknown
text
50.2 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/landkit/assets/css/libs.bundle.css
unknown
text
4.87 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/hostcmsfiles/css/f01a291ad337ae7a3c8cea5aa6a12489.css?1699011905
unknown
text
321 b
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/js/jquery-3.6.0.min.js
unknown
text
30.2 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/images/my/icons/rms_blue-32.svg
unknown
image
1.46 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/images/my/speed.svg
unknown
image
442 b
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/landkit/assets/js/vendor.bundle.js
unknown
text
186 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/landkit/assets/js/theme.bundle.js
unknown
text
3.18 Kb
unknown
452
iexplore.exe
GET
200
194.58.89.203:80
http://rmansys.ru/images/my/security-shield.svg
unknown
image
1.01 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
452
iexplore.exe
194.58.89.203:80
rmansys.ru
Domain names registrar REG.RU, Ltd
RU
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
452
iexplore.exe
216.239.38.178:443
www.google-analytics.com
GOOGLE
US
unknown
452
iexplore.exe
93.158.134.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
452
iexplore.exe
23.32.238.234:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
452
iexplore.exe
216.58.212.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
452
iexplore.exe
104.18.21.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared
452
iexplore.exe
104.18.20.226:80
ocsp.globalsign.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
rmansys.ru
  • 194.58.89.203
malicious
www.google-analytics.com
  • 216.239.38.178
  • 216.239.32.178
  • 216.239.36.178
  • 216.239.34.178
whitelisted
mc.yandex.ru
  • 93.158.134.119
  • 87.250.251.119
  • 77.88.21.119
  • 87.250.250.119
whitelisted
ctldl.windowsupdate.com
  • 23.32.238.234
  • 23.32.238.226
  • 23.32.238.235
  • 23.32.238.227
  • 23.32.238.240
  • 23.32.238.232
  • 23.32.238.243
  • 23.32.238.225
  • 23.32.238.242
  • 23.32.238.186
  • 23.32.238.209
  • 23.32.238.208
  • 23.32.238.203
  • 23.32.238.192
  • 23.32.238.184
  • 23.32.238.179
  • 23.32.238.195
  • 23.32.238.202
  • 23.32.238.216
  • 23.32.238.210
  • 23.32.238.218
whitelisted
ocsp.pki.goog
  • 216.58.212.163
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
www.googletagmanager.com
  • 142.250.186.168
whitelisted
region1.google-analytics.com
  • 216.239.34.36
  • 216.239.32.36
whitelisted
mc.yandex.com
  • 77.88.21.119
  • 93.158.134.119
  • 87.250.251.119
  • 87.250.250.119
whitelisted

Threats

No threats detected
Process
Message
rutview.exe
Font size: 11
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rmansys.ru