MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f
SHA3-384 hash:	462514f75246d347c09577aa7d6c240c5bedf29cc65d9fde29076f93f3ab0eb18142d87672974ed1fd9ccf71b780b827
SHA1 hash:	d6a8d1fb41d56ddb871d979ab6ad1fafcc4a5f06
MD5 hash:	3e45070153f2ffd2c0aa313d2b593407
humanhash:	virginia-arizona-bakerloo-california
File name:	8CEA95F9CE9E5CF6DEE53EEE1B3DCF0A85A80A699575D.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	11'604'136 bytes
First seen:	2022-12-29 14:00:48 UTC
Last seen:	2022-12-29 15:35:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep	196608:slMUmnmOZzGmn4xhCERU2jvomUTc5bw3khB74M90NKsfayjUQ8jF59D9Pr:s/WmozGmsCe3UMYm12NjayT+Frt
TLSH	T111C63327EBD24821D4FA877A49BE5B200B3ABCD94A1797CD1358F0295C77341A8E47CB
TrID	63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6) 10.5% (.EXE) Win32 Executable (generic) (4505/5/1) 7.0% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 4.8% (.EXE) Win16/32 Executable Delphi generic (2072/23) 4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator signed

Code Signing Certificate

Organisation:	Remote Utilities LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-08-18T00:00:00Z
Valid to:	2022-08-18T23:59:59Z
Serial number:	aab0e5906afead7b956937974d8016ef
Intelligence:	13 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	cae7c89d5c445a4d774e14192fbcc6bb80658f183cec22da8146317446c33628
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RemoteManipulator C2:
106.250.166.45:5683

Intelligence

File Origin

# of uploads :

# of downloads :

209

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

rurat

ID:

File name:

8CEA95F9CE9E5CF6DEE53EEE1B3DCF0A85A80A699575D.exe

Verdict:

Malicious activity

Analysis date:

2022-12-29 14:02:03 UTC

Tags:

rat rurat

Link:

https://app.any.run/tasks/1e2b6753-33e1-424c-b126-6bc4aee15297

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Tool.RemoteUtilities-9869515-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Sending a custom TCP request

Launching a service

DNS request

Creating a file in the Windows subdirectories

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/63ad9da1b9b1c173751feab8/reports/80679210-2f84-4e99-b0c4-e27cfae1d8b7/overview

Result

Verdict:

MALICIOUS

Malware family:

Remote Utilities RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/be087633-73c8-4414-9a5b-6d832cc104e1

Result

Threat name:

RMSRemoteAdmin

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1142724

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f/

Threat name:

Win32.Trojan.RemoteUtilities

Status:

Malicious

First seen:

2021-12-08 02:58:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

8 of 26 (30.77%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rtvjl6ootzopnxxfh3xbwpopbkc2qctjsv25wzegtkcwg27raf7q._file

Verdict:

malicious

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/221229-rbjzjsgd61/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/92ddd2c6-35c4-4d42-8c0b-c996f3fa865f

Unpacked files

SH256 hash:

670d52ccb6dda543da9845d816b5d4a491f797f3a1fa866dfb455caa701e0efc

MD5 hash:

3053f75ebed709325b1899bea30b3513

SHA1 hash:

eb8767119bd58af2e5d2fd0f588335117114fb4e

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

SH256 hash:

d8fee90690c6912b760d82e1574bff3a098bea776503eff7b6717478cbdb9f29

MD5 hash:

715bdd8677fc7ad5ec0912edc733cc9f

SHA1 hash:

cc9ea296395adaac7b9b21cb34bd8661bf4aa122

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

SH256 hash:

256bc817a3bce8c72856b382550d063735a56a6c9ea84c9db572418f3da97bf6

MD5 hash:

1ef0c74f0d3b8816dce822ef7b388ca7

SHA1 hash:

9ede7100202a2dc35ded2ff380229d167da888b0

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

Parent samples :

e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
8aa2943c4e4286b1f0f6ce6239088e7422d36686682d9faa125d3544fabf601a
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628
17f1957752f234a9bda043a5e2e36999a0b40aad118de4b3fe0de84c615a63df

SH256 hash:

9135046e43f96520f21594834ce5a73ac1dcb6bee857207981b16303817747af

MD5 hash:

c8d88ddfb12c58346c547749d3c84f70

SHA1 hash:

65e24331991dbf944d82e7836d6b189626cca062

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

SH256 hash:

bf2687f833ac763eb0497e43dcee9a1e34d268337d38b347de7cbeae02ce6c7d

MD5 hash:

305d37bb6e5c51191508761cee43f0e0

SHA1 hash:

e934c3f1819e12038cca4669517ea46801c29fe6

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

SH256 hash:

c13f92f181b6d8b3a44f05f9eb0f6a717f282bfae5f1165812d8521fa67899f7

MD5 hash:

2b29013ed5ab4691b6f155d2d8722dc4

SHA1 hash:

108aef21a9eb9785c382d029b9af11ac3b60be1e

Detections:

win_rms_auto

win_rms_a0

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

Parent samples :

c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6
8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f
9aa015a70c717742302931754b245df688db136eefcaf78999f3b451582b8f31
e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628

SH256 hash:

609d3d038a499bdd6c3ae0048eac116260956319dad43f6dd0aff9df2a39c5fe

MD5 hash:

038e766836299ae1d2daf54c6f63495c

SHA1 hash:

6cad74290db0a7299acc55cd184dec43d3e49ece

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

SH256 hash:

8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f

MD5 hash:

3e45070153f2ffd2c0aa313d2b593407

SHA1 hash:

d6a8d1fb41d56ddb871d979ab6ad1fafcc4a5f06

Link:

https://www.unpac.me/results/def5eab0-f8e2-42b7-b6dc-516d22f38d22/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8cea95f9ce9e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample