{
	"id": "d2407ee4-9254-4375-b884-524b1a401e5b",
	"created_at": "2026-05-01T03:09:07.022107Z",
	"updated_at": "2026-05-01T03:10:50.562324Z",
	"deleted_at": null,
	"sha1_hash": "410a046ac99e083d01b7b1b4c4528429800641b4",
	"title": "Following the RTM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 833493,
	"plain_text": "Following the RTM\r\nArchived: 2026-05-01 02:25:18 UTC\r\nWhere did it all start?\r\nResearchers became aware of the activities of the RTM group in December 2015. Since then, phishing emails\r\ndistributing the trojan have been sent to potential victims with admirable persistence.\r\nFrom September to December 2018 the RTM group sent out more than 11,000 malicious emails. The\r\ncybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns that we track\r\nas part of our ongoing threat intelligence activities.\r\nIn this article, I am going to show how to perform forensic analysis of an image of a computer infected with\r\nthe RTM banking trojan.\r\nRequired background\r\nLet’s imagine that we are not aware of the RTM infection on the computer. The only evidence we have is the fact\r\nof compromise, which resulted in a theft of funds. This will make the analysis process more interesting and\r\napplicable to other cases as well. I would also like to draw your attention to the fact that in this article I will not\r\nfocus on reverse engineering of the trojan.\r\nSo, all we have is a computer drive image in E01 format (Encase Image File Format). For a start, it would be good\r\nto know what is inside, at least the operating system, since it is the operating system and its version that determine\r\nthe presence of certain forensic artefacts that we have to analyse.\r\n1. Let’s use the mmls utility from Brian Carrier’s Sleuth Kit:\r\nLet’s see what we have here. Several NTFS partitions that look like Windows partitions. We need to be sure of\r\nthat. Let’s try to find registry files, such as SOFTWARE, for example.\r\nhttps://www.group-ib.com/blog/rtm\r\nPage 1 of 5\n\n2. Let’s use the fls (from Sleuth Kit) and findstr utilities to find the corresponding entry number in the\r\nmaster file table (MFT):\r\nNow we can copy the file we need for further analysis using icat (from Sleuth Kit):\r\nicat -o 718848 E:\\RTM.E01 234782 \u003e SOFTWARE\r\nWe have a SOFTWARE registry file from which we can extract the most relevant information using Harlan\r\nCarvey’s RegRipper, for example. At the moment, we are interested in the contents of the Microsoft\\Windows\r\nNT\\CurrentVersion section:\r\nWe now know that the computer in question ran Windows 7 Professional SP1, which means that we know what\r\nforensic artefacts we may encounter and which ones we may need.\r\nWhere do we begin our search? Let’s recall Jesse Kornblum’s paradox: “Malware can hide, but it must run”. A\r\ngood start will be to look for potential persistence mechanisms that can be used by the malware to restart after\r\nreboot.\r\nLet’s start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from\r\nthe user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. If we want to get the record\r\nnumber of the file we need by means of fls and findstr again, we should add the -p parameter for fls — this will\r\nallow the utility to display the full paths to the files. Why do we need that? There is an NTUSER.DAT file in each\r\nuser’s directory, while there is only one SOFTWARE for the entire system, so in this case it is important to get the\r\nrecord number of a particular file. In general, you do not have to stick to the Sleuth Kit at all; there are more\r\nconvenient tools like FTK Imager, a free tool, which can be used not only to create forensic images, but also to\r\nexamine their contents.\r\nhttps://www.group-ib.com/blog/rtm\r\nPage 2 of 5\n\nLet’s start with low-hanging fruits, the so-called run keys:\r\nThe partition was last modified on November 7th, and we see that when a user logs in, the apg.exe file is executed\r\nfrom a very suspicious location. Let’s see what else we can find in the b7mg81 directory:\r\nTeamViewer? That is interesting. Let’s take a closer look at apg.exe and use PPEE:\r\nhttps://www.group-ib.com/blog/rtm\r\nPage 3 of 5\n\nThis looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer? Seems so,\r\nbut it’s not that simple. Let’s take a look at the import table:\r\nRight, msi.dll — a file we have already seen somewhere. This is still the b7mg81 directory, not\r\nC:\\Windows\\System32. Judging by the file’s size, it has nothing to do with the original msi.dll, so it is clearly\r\nDLL Search Order Hijacking. The operating system starts searching for the necessary libraries from the current\r\ndirectory, which means that instead of the legitimate msi.dll, the one located in b7mg81 will be loaded.\r\nAnother interesting file is TeamViewer.ini:\r\nhttps://www.group-ib.com/blog/rtm\r\nPage 4 of 5\n\nHere is anti-forensics: according to the configuration file, our “TeamViewer” did not keep any logs, and was\r\napparently used as a RAT (Remote Access Trojan). Well, not bad. It is time to find out if it ever started at all.\r\nThere are quite a lot of artefacts in Windows that can indicate that executable files have been run. Let’s keep\r\nworking with the registry, this time with the SYSTEM file. To extract data from it, you can use RegRipper again.\r\nWe are interested in ControlSet001\\Control\\Session Manager\\AppCompatCache. Here we will find a list of\r\nexecutable files with paths to them, the dates when they were last modified (according to the\r\n$STANDARD_INFORMATION attribute), and a flag indicating whether the file was launched or not:\r\nSource: https://www.group-ib.com/blog/rtm\r\nhttps://www.group-ib.com/blog/rtm\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.group-ib.com/blog/rtm"
	],
	"report_names": [
		"rtm"
	],
	"threat_actors": [],
	"ts_created_at": 1777604947,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/410a046ac99e083d01b7b1b4c4528429800641b4.pdf",
		"text": "https://archive.orkl.eu/410a046ac99e083d01b7b1b4c4528429800641b4.txt",
		"img": "https://archive.orkl.eu/410a046ac99e083d01b7b1b4c4528429800641b4.jpg"
	}
}