{
	"id": "ad7b82bb-ba8a-4987-8cfb-202bc1028ab9",
	"created_at": "2026-04-06T00:10:33.553865Z",
	"updated_at": "2026-04-10T03:25:28.125349Z",
	"deleted_at": null,
	"sha1_hash": "8115c3bf87b79b560bfd6822c93c494f03ca96d9",
	"title": "RTM (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 27214,
	"plain_text": "RTM (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:35:20 UTC\r\nRTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written\r\nin Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4\r\nto encrypt its strings, network data, configuration and modules, according to ESET.\r\n[TLP:WHITE] win_rtm_auto (20201014 | autogenerated rule brought to you by yara-signator)\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rtm\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm"
	],
	"report_names": [
		"win.rtm"
	],
	"threat_actors": [
		{
			"id": "01d569b1-f089-4a8f-8396-85078b93da26",
			"created_at": "2023-01-06T13:46:38.411615Z",
			"updated_at": "2026-04-10T02:00:02.963422Z",
			"deleted_at": null,
			"main_name": "BuhTrap",
			"aliases": [],
			"source_name": "MISPGALAXY:BuhTrap",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "3b046db2-f60e-49ae-8e16-0cf82a4be6fb",
			"created_at": "2022-10-25T16:07:23.427162Z",
			"updated_at": "2026-04-10T02:00:04.594113Z",
			"deleted_at": null,
			"main_name": "Buhtrap",
			"aliases": [
				"Buhtrap",
				"Operation TwoBee",
				"Ratopak Spider",
				"UAC-0008"
			],
			"source_name": "ETDA:Buhtrap",
			"tools": [
				"AmmyyRAT",
				"Buhtrap",
				"CottonCastle",
				"FlawedAmmyy",
				"NSIS",
				"Niteris EK",
				"Nullsoft Scriptable Install System",
				"Ratopak"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775791528,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8115c3bf87b79b560bfd6822c93c494f03ca96d9.pdf",
		"text": "https://archive.orkl.eu/8115c3bf87b79b560bfd6822c93c494f03ca96d9.txt",
		"img": "https://archive.orkl.eu/8115c3bf87b79b560bfd6822c93c494f03ca96d9.jpg"
	}
}