File name:

rutserv.exe

Full analysis: https://app.any.run/tasks/8c02f844-73a5-46b4-9230-02f3b59cb5e5
Verdict: Malicious activity
Threats:

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Malware Trends Tracker     >>>
Analysis date: January 04, 2024, 08:35:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
rms
metamorfo
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C805F814BE968F1405A1144D02E8034D

SHA1:

600B70C9565F138232A2F72A247381703EE2BA79

SHA256:

B9B5BF758928B1E68A6D3E8001A71572076DDAD8B46765DFEC25C4947DAAC87D

SSDEEP:

98304:llBiTwUaaNl8OGNZClhwzjBKLPxcCw5jklA+ke6IAV6YlHSzmVUJMW6G4tOlIlqK:CPu3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • METAMORFO has been detected (YARA)

      • rutserv.exe (PID: 784)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drop RMS (RAT) executable file

      • rutserv.exe (PID: 2016)

    • Reads the computer name

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Checks supported languages

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Drops the executable file immediately after the start

      • rutserv.exe (PID: 2016)

    • Reads product name

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Reads Environment values

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Reads the machine GUID from the registry

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Process checks computer location settings

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Reads Windows Product ID

      • rutserv.exe (PID: 2016)
      • rutserv.exe (PID: 784)

    • Application launched itself

      • rutserv.exe (PID: 2016)

    • Creates files or folders in the user directory

      • rutserv.exe (PID: 784)

    • Connects to unusual port

      • rutserv.exe (PID: 784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:04:13 12:13:16+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 7320576
InitializedDataSize: 2008576
UninitializedDataSize: -
EntryPoint: 0x6fc7b8
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.6.0.3
ProductVersionNumber: 6.6.0.3
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: TektonIT
FileDescription: RMS
FileVersion: 6.6.0.3
LegalCopyright: Copyright © 2017 TektonIT. All rights reserved.
LegalTrademarks: Remote Manipulator System, TektonIT
ProductName: Remote Manipulator System
ProductVersion: 6.6.0.3
ProgramID: ru.rmansys.rutserv
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rutserv.exe #METAMORFO rutserv.exe rutserv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
784C:\Users\admin\AppData\Local\Temp\rutserv.exe -secondC:\Users\admin\AppData\Local\Temp\rutserv.exe
rutserv.exe
User:
SYSTEM
Company:
TektonIT
Integrity Level:
SYSTEM
Description:
RMS
Exit code:
0
Version:
6.6.0.3
Modules
Images
c:\users\admin\appdata\local\temp\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1072"C:\Users\admin\AppData\Local\Temp\rutserv.exe" C:\Users\admin\AppData\Local\Temp\rutserv.exeexplorer.exe
User:
admin
Company:
TektonIT
Integrity Level:
MEDIUM
Description:
RMS
Exit code:
3221226540
Version:
6.6.0.3
Modules
Images
c:\users\admin\appdata\local\temp\rutserv.exe
c:\windows\system32\ntdll.dll
2016"C:\Users\admin\AppData\Local\Temp\rutserv.exe" C:\Users\admin\AppData\Local\Temp\rutserv.exe
explorer.exe
User:
admin
Company:
TektonIT
Integrity Level:
HIGH
Description:
RMS
Exit code:
0
Version:
6.6.0.3
Modules
Images
c:\users\admin\appdata\local\temp\rutserv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
6 650
Read events
6 644
Write events
6
Delete events
0

Modification events

(PID) Process:(784) rutserv.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\TektonIT\RMS Buhphone\Host\Parameters
Operation:writeName:Options
Value:
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F67557365091144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E080000
(PID) Process:(784) rutserv.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\TektonIT\RMS Buhphone\Host\Parameters
Operation:writeName:InternetId
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223636303033223E3C696E7465726E65745F69643E3C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E66616C73653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
(PID) Process:(784) rutserv.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\TektonIT\RMS Buhphone\Host\Parameters
Operation:writeName:Options
Value:
545046301154524F4D5365727665724F7074696F6E7300095573654E5441757468080D53656375726974794C6576656C020304506F727403121614456E61626C654F7665726C617943617074757265080C53686F775472617949636F6E0915486964655472617949636F6E506F7075704D656E75080642696E644950060D416E7920696E746572666163651343616C6C6261636B4175746F436F6E6E656374091743616C6C6261636B436F6E6E656374496E74657276616C023C084869646553746F70080C497046696C746572547970650202105573654C656761637943617074757265081750726F7465637443616C6C6261636B53657474696E6773081550726F74656374496E6574496453657474696E6773080F446F4E6F7443617074757265524450080755736549507636091141736B557365725065726D697373696F6E0816557365725065726D697373696F6E496E74657276616C031027134175746F416C6C6F775065726D697373696F6E08134E656564417574686F72697479536572766572081F41736B5065726D697373696F6E4F6E6C794966557365724C6F676765644F6E0811557365496E6574436F6E6E656374696F6E0813557365437573746F6D496E6574536572766572080A496E65744964506F727402000D557365496E6574496449507636081444697361626C6552656D6F7465436F6E74726F6C081344697361626C6552656D6F746553637265656E081344697361626C6546696C655472616E73666572080F44697361626C655265646972656374080D44697361626C6554656C6E6574081444697361626C6552656D6F746545786563757465081244697361626C655461736B4D616E61676572080E44697361626C654F7665726C6179080F44697361626C6553687574646F776E081444697361626C6552656D6F746555706772616465081544697361626C655072657669657743617074757265081444697361626C654465766963654D616E61676572080B44697361626C6543686174081344697361626C6553637265656E5265636F7264081044697361626C65415643617074757265081244697361626C6553656E644D657373616765080F44697361626C655265676973747279080D44697361626C65415643686174081544697361626C6552656D6F746553657474696E6773081544697361626C6552656D6F74655072696E74696E67080A44697361626C65526470080F4E6F7469667953686F7750616E656C09144E6F746966794368616E67655472617949636F6E09104E6F7469667942616C6C6F6E48696E74080F4E6F74696679506C6179536F756E64080C4E6F7469667950616E656C5802FF0C4E6F7469667950616E656C5902FF064C6F6755736509055369644964061034353239352E333538343639313738321144697361626C65496E7465726E65744964080B536166654D6F6465536574080F53796E6341757468456E61626C6564081253686F7749644E6F74696669636174696F6E080000
(PID) Process:(784) rutserv.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\TektonIT\RMS Buhphone\Host\Parameters
Operation:writeName:InternetId
Value:
EFBBBF3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D38223F3E0D0A3C726D735F696E7465726E65745F69645F73657474696E67732076657273696F6E3D223636303033223E3C696E7465726E65745F69643E3336392D3333352D3631372D3230313C2F696E7465726E65745F69643E3C7573655F696E65745F636F6E6E656374696F6E3E747275653C2F7573655F696E65745F636F6E6E656374696F6E3E3C696E65745F7365727665723E3C2F696E65745F7365727665723E3C7573655F637573746F6D5F696E65745F7365727665723E66616C73653C2F7573655F637573746F6D5F696E65745F7365727665723E3C696E65745F69645F706F72743E353635353C2F696E65745F69645F706F72743E3C7573655F696E65745F69645F697076363E66616C73653C2F7573655F696E65745F69645F697076363E3C2F726D735F696E7465726E65745F69645F73657474696E67733E0D0A
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
784rutserv.exeC:\Users\admin\AppData\Roaming\RMS_settings\Logs\rms_log_2024-01.htmlhtml
MD5:1F60472C9CD328E314A1155841DBAD2E
SHA256:3390EBE772EAE87BB157E7D5D4753DBE0EC24CCAF57760C54435722A15B88905
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
2

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
784
rutserv.exe
95.213.205.83:5655
rms-server.tektonit.ru
OOO Network of data-centers Selectel
RU
unknown

DNS requests

Domain
IP
Reputation
rms-server.tektonit.ru
  • 95.213.205.83
unknown

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
Process
Message
rutserv.exe
04-01-2024_08:36:11:737#T:Error #19 @2
rutserv.exe
MSG_KEEP_ALIVE
rutserv.exe
04-01-2024_08:36:51:940#T:Msg Size: 104
rutserv.exe
04-01-2024_08:36:51:940#T:Msg code: 3
rutserv.exe
04-01-2024_08:36:51:940#T:MSG_KEEP_ALIVE
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rutserv.exe