MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa
SHA3-384 hash: 0a1f57644197257cb41c957fee06ffb74f8ab70fe0ce90bd5c249d074f87c566d65ad70c3f0c33b87a93057399bcd994
SHA1 hash: a6785f060e178c97b67c1b270af402ef3af549ee
MD5 hash: 2ad5fadef0fb042d289ae31f95422b01
humanhash: queen-enemy-kentucky-burger
File name:AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:6'764'032 bytes
First seen:2021-06-23 22:16:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6efd063554908d458fed57f134fe734 (1 x RemoteManipulator)
ssdeep 196608:i0vfpomz59uv45srb9sI3ZZQaVt2ZRla+LyIfd:i05ognver5s0QaSJjx
Threatray 8 similar samples on MalwareBazaar
TLSH 5D663380C0EDB8E3D994DB7CEA1DB0603DBF5C7158DEE1AF85687C82E679521249C21B
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
185.175.44.167:563

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.175.44.167:563 https://threatfox.abuse.ch/ioc/152927/

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe
Verdict:
No threats detected
Analysis date:
2021-06-23 22:18:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9cb61413-56dd-466b-a65b-aea52be074c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Win.Trojan.RMS-9870689-1
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RemoteUtilitiesRAT.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.Bandook.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fbff404a-cd36-48e1-91ba-7bf4b4fb49fe
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806911
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439322 Sample: AC525EA998DAE61BDBF7BCA8B94... Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 50 Multi AV Scanner detection for domain / URL 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 2 other signatures 2->56 7 AC525EA998DAE61BDBF7BCA8B942867A0FC05CB2A01E5.exe 31 2->7         started        11 rutserv.exe 2->11         started        14 svchost.exe 9 1 2->14         started        16 4 other processes 2->16 process3 dnsIp4 42 black-rad.pro 7->42 34 C:\Windows\System64\rutserv.exe, PE32 7->34 dropped 36 C:\Windows\System64\rfusclient.exe, PE32 7->36 dropped 38 C:\Windows\System64\vp8encoder.dll, PE32 7->38 dropped 40 C:\Windows\System64\vp8decoder.dll, PE32 7->40 dropped 18 cmd.exe 1 7->18         started        44 rms-server.tektonit.ru 11->44 46 rmansys.ru 31.31.198.18, 49729, 49730, 80 AS-REGRU Russian Federation 11->46 76 Drops executables to the windows directory (C:\Windows) and starts them 11->76 21 rfusclient.exe 11->21         started        23 rfusclient.exe 11->23         started        48 127.0.0.1 unknown unknown 14->48 file5 signatures6 process7 signatures8 58 Uses cmd line tools excessively to alter registry or file data 18->58 60 Drops executables to the windows directory (C:\Windows) and starts them 18->60 62 Uses regedit.exe to modify the Windows registry 18->62 25 rutserv.exe 18->25         started        28 taskkill.exe 1 18->28         started        30 taskkill.exe 1 18->30         started        32 12 other processes 18->32 64 Antivirus detection for dropped file 21->64 66 Multi AV Scanner detection for dropped file 21->66 68 Machine Learning detection for dropped file 21->68 process9 signatures10 70 Multi AV Scanner detection for dropped file 25->70 72 Machine Learning detection for dropped file 25->72 74 Contains functionality to detect sleep reduction / modifications 25->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2018-07-23 08:12:44 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vrjf5kmy3ltbxw7xxsulsqugpih4axfsuapf7mhxcsmryo7kkh5a._file
Verdict:
malicious
Similar samples:
03d9290dcdd5510be91d45eedf36f05c4303b5ca770cdd24f48c6111638ebdf2
RemoteManipulator
075ec6ffbc5779e54c73a41b478b0bd6534f6cd5db435b8226d76c50012b267f
RemoteManipulator
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
RemoteManipulator
38602e2e2f729e174440339fd1551e133ae03d93e16bbcef8f0b9c8aa1da9b1c
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
RemoteManipulator
d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745
RemoteManipulator
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms rat trojan upx
Link:
https://tria.ge/reports/210623-nbst48jn3n/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
RMS
Unpacked files
SH256 hash:
5d7e9959a82f4263db00eeca029c244ae66c2b0b1372be8814b8689d56495aa1
MD5 hash:
a233a928f58392eeb5535280615ad5a9
SHA1 hash:
564173e0f8d486be53d9983d7e28452da08ea007
Link:
https://www.unpac.me/results/181b04dd-648b-4390-8e0c-543c73b08968/
SH256 hash:
cd9f1ad73f655249ec6b45c94a692ce5e59da3a2eb91083cb7b1c2e28189ba8d
MD5 hash:
66359dd214f44095af78d2f0999e38ad
SHA1 hash:
2c40edfb169ddd7f976c5cc5e7c9dd29b4e723ee
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/181b04dd-648b-4390-8e0c-543c73b08968/
SH256 hash:
300b2d5a1427a0ac69d71a50f42cf2a90f09629f9b75d055a20ebfb51a1babce
MD5 hash:
06fa4691afa36333203624ae7105fc19
SHA1 hash:
e7e59854acbcc980fda902c19e982c1baf04f3d3
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/181b04dd-648b-4390-8e0c-543c73b08968/
SH256 hash:
ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa
MD5 hash:
2ad5fadef0fb042d289ae31f95422b01
SHA1 hash:
a6785f060e178c97b67c1b270af402ef3af549ee
Link:
https://www.unpac.me/results/181b04dd-648b-4390-8e0c-543c73b08968/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac525ea998dae61bdbf7bca8b942867a0fc05cb2a01e5fb0f714991c3bea51fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments