MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 10

Intelligence 10 IOCs 1 YARA File information Comments

SHA256 hash:	19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a
SHA3-384 hash:	1417c8f77af2dfade72dc321c6d539f9219cca5804b0d89ed3fd92ef710503c4ab4f90f5d6b6f4000b3d9b7d1e1ad64e
SHA1 hash:	0dd5c5623b808abb7a52d9b8fe3eb13749ffeb17
MD5 hash:	1c652681df1e57e8e4c45f0e37c069cb
humanhash:	salami-mountain-idaho-floor
File name:	19D1D20F580914EFBF1F300E65EE1F9E6FF771FC3D061.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	11'593'200 bytes
First seen:	2021-08-03 00:11:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep	196608:6lMILtQQsddPuzjKR8DeUQ8AcSkY+ZbFL9LszKTd0ypCU3oj5gtN:6tLt8ZujLZQE5YGZLs074Un
Threatray	28 similar samples on MalwareBazaar
TLSH	T154C63347FBE18824E4FB4BBA0DBE5B14073BBC9A6613878A0355B12D4D7734199B038B
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator

abuse_ch

RemoteManipulator C2:
209.66.104.126:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
209.66.104.126:5655	https://threatfox.abuse.ch/ioc/165487/

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

19D1D20F580914EFBF1F300E65EE1F9E6FF771FC3D061.exe

Verdict:

Malicious activity

Analysis date:

2021-08-03 00:12:32 UTC

Tags:

rat rurat

Link:

https://app.any.run/tasks/98455eca-f014-4a60-825e-08f6bd0a9b7f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RemoteUtilitiesRAT

Link:

https://www.capesandbox.com/analysis/175903/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Packer.Exe-6

PUA.Win.Tool.RemoteUtilities-9869515-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a service

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the Windows subdirectories

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/57b13427-c013-431f-b90e-4119a233c144

Result

Threat name:

RMSRemoteAdmin

Detection:

suspicious

Classification:

evad

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/825794

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a/

Threat name:

Win32.Trojan.RemoteUtilities

Status:

Malicious

First seen:

2021-02-22 03:33:46 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dhi5ed2ybeko7py7gahgl3q7tzx7o4p4hudbuvkjiq77z537euva._file

Verdict:

malicious

RemoteManipulator

4de20c5375b9f484f3c764bc62721329813692e6441060fa1674ecec0f13584b

RemoteManipulator

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809

RemoteManipulator

6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad

RemoteManipulator

7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73

RemoteManipulator

8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496

RemoteManipulator

a5f7b339a431830ce2cc5826dd2ed3099497089277397beb6e425e5e15935e63

RemoteManipulator

c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c

RemoteManipulator

ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83

RemoteManipulator

+ 18 additional samples on MalwareBazaar

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/210803-a8af87zf5x/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

c63fcc1c0454e99c4d2f0dc0407a4153ea5d2f32e707f25b64f93ef6d64368fa

MD5 hash:

e7f6ad3a5f00eb928e5bd01f84d3cacc

SHA1 hash:

f31d091df9979f33f7e6720a8c4fc89a6fae11b7

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

d8fee90690c6912b760d82e1574bff3a098bea776503eff7b6717478cbdb9f29

MD5 hash:

715bdd8677fc7ad5ec0912edc733cc9f

SHA1 hash:

cc9ea296395adaac7b9b21cb34bd8661bf4aa122

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

256bc817a3bce8c72856b382550d063735a56a6c9ea84c9db572418f3da97bf6

MD5 hash:

1ef0c74f0d3b8816dce822ef7b388ca7

SHA1 hash:

9ede7100202a2dc35ded2ff380229d167da888b0

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

Parent samples :

e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628
17f1957752f234a9bda043a5e2e36999a0b40aad118de4b3fe0de84c615a63df

SH256 hash:

9135046e43f96520f21594834ce5a73ac1dcb6bee857207981b16303817747af

MD5 hash:

c8d88ddfb12c58346c547749d3c84f70

SHA1 hash:

65e24331991dbf944d82e7836d6b189626cca062

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

4362e62ad6f87529b654e32272fcce35829a6ff769e240120de7fc382d5d7ee2

MD5 hash:

9eeba047a2d40dcdbe5ce6d31b4ec760

SHA1 hash:

6bb0db6b1b06c018523db4de51e7ba6ed16baf5d

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

18a32745e65f2ee41e8162998cb316d11e52b765552803a60320a77accbf4a97

MD5 hash:

f5a9ee7b735fbb193f8708c595f37d66

SHA1 hash:

1b769ad97990fe2bb6af00227edbf78f9ffe7d85

Detections:

win_rms_a0

win_rms_auto

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

cea6cac0dc3c58cbf579f707374b1b713b138fbb4dc48317cf8499a9f99e4acd

MD5 hash:

fff8e8815c8f1fe9f0e6a0a8ba519ec6

SHA1 hash:

5c03a4f1890a033bd9b08babb6e1a32c5a309eb2

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

SH256 hash:

19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a

MD5 hash:

1c652681df1e57e8e4c45f0e37c069cb

SHA1 hash:

0dd5c5623b808abb7a52d9b8fe3eb13749ffeb17

Link:

https://www.unpac.me/results/b5a22e7c-6070-4e23-83f7-15e5129edf1b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175903/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample