MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 22 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
SHA3-384 hash: e2753032cffb130734e8d09cb2a715a8ab27e91cb32f46bf134d3d8317128cc68facd2b2c2c561bfc792f832675d518f
SHA1 hash: 010f1c034c9c14ed361197e562d381ac081620c2
MD5 hash: 09dd4b86d02519bb38c6ffbba0880450
humanhash: robin-idaho-idaho-alabama
File name:09dd4b86d02519bb38c6ffbba0880450.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:14'796'272 bytes
First seen:2025-06-11 03:35:22 UTC
Last seen:2025-06-11 16:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 873ea256ef620504d7604692c6cb95c5 (1 x RemoteManipulator)
ssdeep 196608:EEukhYEhtidWz6NCHmSxBScJ5oP+fbQDXJA+IQ8UT9K0xo/yscp+OCzv:3hUnsGSxBSs5rfbQDJrBpK0xo/Amv
TLSH T105E60222F785753EC4AF1E3648778618993BBF516E038D5B33F4680C8E366817A3B646
TrID 64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
16.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.9% (.EXE) Win32 Executable (generic) (4504/4/1)
3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon c4dacabacac0c244 (47 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
147.253.132.187:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.253.132.187:5655 https://threatfox.abuse.ch/ioc/1543727/

Intelligence

File Origin
# of uploads :
4
# of downloads :
580
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
09dd4b86d02519bb38c6ffbba0880450.exe
Verdict:
Malicious activity
Analysis date:
2025-06-11 03:36:27 UTC
Tags:
rms rat rurat auto-reg delphi
Link:
https://app.any.run/tasks/094c6f0d-27ac-4682-bc9c-3086afeef955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8874/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6848f9dc8bd5d68a12e79e60
Tags:
delphi trojan spawn remo
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a service
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context embarcadero_delphi fingerprint keylogger overlay packed packed packer_detected remoteadmin
Link:
https://www.filescan.io/uploads/6848f9e8171e01f9593c7414/reports/969a0f1a-ef8c-4239-8f4d-b3cc77876793/overview
Verdict:
Malicious
Labled as:
RiskWare[RemoteAdmin]/RemoteUtilities
Link:
https://www.hybrid-analysis.com/sample/8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/478fbc4f-c836-4e4c-a3ca-fe96f76f8277
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1711825
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a/
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2019-04-20 04:21:13 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
18 of 36 (50.00%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkrjipcoikdld4hwzzrdsceooqrngzugnawz7kqslu2uj6v7mana._file
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery persistence rat trojan
Link:
https://tria.ge/reports/250611-d6jelsfk81/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RMS
Rms family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0166418a-dd19-43b2-8dee-ad93db42e002
Unpacked files
SH256 hash:
8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
MD5 hash:
09dd4b86d02519bb38c6ffbba0880450
SHA1 hash:
010f1c034c9c14ed361197e562d381ac081620c2
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
SH256 hash:
7f1237b7b6067c6a80d8b6a8ac3c0a739e4132b299adbf074fe6e3bf74c447dd
MD5 hash:
c0dfa4ac059d0419de2cf9118d5f988f
SHA1 hash:
fe22a95285a11880f2e58dfe4b84cf4e86cb2cd5
Detections:
win_rms_a0
Create hunting rule
MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
SH256 hash:
130a2506bd6de9400a8cf7601614c00f304916a718331281bef334e21e98f38f
MD5 hash:
fcd360238ae7c4d03279835c77ec24dc
SHA1 hash:
d6a4ac67765d0c587d70b7d18c94f05b19b102fe
Detections:
win_rms_auto
Create hunting rule
win_rms_a0
Create hunting rule
MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
SH256 hash:
9135046e43f96520f21594834ce5a73ac1dcb6bee857207981b16303817747af
MD5 hash:
c8d88ddfb12c58346c547749d3c84f70
SHA1 hash:
65e24331991dbf944d82e7836d6b189626cca062
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
SH256 hash:
256bc817a3bce8c72856b382550d063735a56a6c9ea84c9db572418f3da97bf6
MD5 hash:
1ef0c74f0d3b8816dce822ef7b388ca7
SHA1 hash:
9ede7100202a2dc35ded2ff380229d167da888b0
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
Parent samples :
e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628
17f1957752f234a9bda043a5e2e36999a0b40aad118de4b3fe0de84c615a63df
SH256 hash:
d8fee90690c6912b760d82e1574bff3a098bea776503eff7b6717478cbdb9f29
MD5 hash:
715bdd8677fc7ad5ec0912edc733cc9f
SHA1 hash:
cc9ea296395adaac7b9b21cb34bd8661bf4aa122
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
SH256 hash:
c63fcc1c0454e99c4d2f0dc0407a4153ea5d2f32e707f25b64f93ef6d64368fa
MD5 hash:
e7f6ad3a5f00eb928e5bd01f84d3cacc
SHA1 hash:
f31d091df9979f33f7e6720a8c4fc89a6fae11b7
Link:
https://www.unpac.me/results/4c2d7c51-7248-47c7-9d82-ac641ff4b1bc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8aa2943c4e42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:possible_trojan_banker
Create hunting rule
Author:@johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Remotemanipulator_9ec52153
Create hunting rule
Author:Elastic Security
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/8874/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
shell32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CreateProcessW
KERNEL32.DLL::OpenProcess
KERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::LoadLibraryExW
KERNEL32.DLL::LoadLibraryW
KERNEL32.DLL::GetDriveTypeW
KERNEL32.DLL::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::GetConsoleOutputCP
KERNEL32.DLL::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::CreateFileW
KERNEL32.DLL::CreateFileMappingW
KERNEL32.DLL::DeleteFileW
KERNEL32.DLL::GetFileAttributesW
KERNEL32.DLL::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegOpenKeyExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments