MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
RemoteManipulator
Vendor detections: 9
| SHA256 hash: | c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c |
|---|---|
| SHA3-384 hash: | fc1dbbd497cbf58a2f6c9421c8d7d221653d12306f28fa3255dd200a252ea1c16cc6e25657b344a883427209b3e058f4 |
| SHA1 hash: | 040837f030572bbad6ee8086ce0d5c94a14bcfd4 |
| MD5 hash: | 516fa42131ea944681b66d6373769edf |
| humanhash: | blossom-winter-red-carolina |
| File name: | C8EBEC4136A41A11AA96976CE1B5D4B01785FF3AC94B7.exe |
| Download: | download sample |
| Signature | RemoteManipulator |
| File size: | 14'270'960 bytes |
| First seen: | 2021-04-26 15:56:46 UTC |
| Last seen: | 2021-04-26 16:51:04 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | a2adaf9422c8d5596ce912860ce76592 (5 x RemoteManipulator) |
| ssdeep | 196608:KNKV1CTNE4pzVzxyY3ZjIgngBw9NcpW9fP5mI3TO6xRkfZUW/7ZgHHRD:KNKV1nBIZjKBwNssIiCZbgB |
| Threatray | 26 similar samples on MalwareBazaar |
| TLSH | 9CE60222FB84A93DC4AF1A3A4877861C593B7E5166038F4B77F47C0C8E355807A7E686 |
| Reporter |  abuse_ch |
| Tags: | exe RemoteManipulator |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 112.220.118.66:5655 | https://threatfox.abuse.ch/ioc/10208/ |
Intelligence
File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C8EBEC4136A41A11AA96976CE1B5D4B01785FF3AC94B7.exe
Verdict:
Malicious activity
Analysis date:
2021-04-26 15:59:52 UTC
Tags:
rat rurat
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Launching a service
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Detection:
malicious
Classification:
evad
Score:
52 / 100
Signature
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.RemoteUtilities
Status:
Malicious
First seen:
2021-04-25 00:50:19 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Similar samples:
+ 16 additional samples on MalwareBazaar
Result
Malware family:
rms
Score:
10/10
Tags:
family:rms rat trojan
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
670d52ccb6dda543da9845d816b5d4a491f797f3a1fa866dfb455caa701e0efc
MD5 hash:
3053f75ebed709325b1899bea30b3513
SHA1 hash:
eb8767119bd58af2e5d2fd0f588335117114fb4e
SH256 hash:
d8fee90690c6912b760d82e1574bff3a098bea776503eff7b6717478cbdb9f29
MD5 hash:
715bdd8677fc7ad5ec0912edc733cc9f
SHA1 hash:
cc9ea296395adaac7b9b21cb34bd8661bf4aa122
SH256 hash:
256bc817a3bce8c72856b382550d063735a56a6c9ea84c9db572418f3da97bf6
MD5 hash:
1ef0c74f0d3b8816dce822ef7b388ca7
SHA1 hash:
9ede7100202a2dc35ded2ff380229d167da888b0
SH256 hash:
9135046e43f96520f21594834ce5a73ac1dcb6bee857207981b16303817747af
MD5 hash:
c8d88ddfb12c58346c547749d3c84f70
SHA1 hash:
65e24331991dbf944d82e7836d6b189626cca062
SH256 hash:
c13f92f181b6d8b3a44f05f9eb0f6a717f282bfae5f1165812d8521fa67899f7
MD5 hash:
2b29013ed5ab4691b6f155d2d8722dc4
SHA1 hash:
108aef21a9eb9785c382d029b9af11ac3b60be1e
Detections:
win_rms_a0
win_rms_auto
Parent samples :
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6
8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f
9aa015a70c717742302931754b245df688db136eefcaf78999f3b451582b8f31
e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628
1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6
8cea95f9ce9e5cf6dee53eee1b3dcf0a85a80a699575db64869a85636bf1017f
9aa015a70c717742302931754b245df688db136eefcaf78999f3b451582b8f31
e1f3bab1feda99d93daa4fd9bba80000aa4231d17d03b79db07b132b8c014c80
af0d834b319c38b0425cee1bd767230825dab51a8c56f8e8c2d3c4683382f628
SH256 hash:
34df39086924d7211b5641133d3c8a22736462264773e2d190b7008a09335a44
MD5 hash:
d3a377fddf028d24b5d813b22115f343
SHA1 hash:
4770bf47e274428430b41cffa59f40472761e58e
Detections:
win_rms_a0
SH256 hash:
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
MD5 hash:
516fa42131ea944681b66d6373769edf
SHA1 hash:
040837f030572bbad6ee8086ce0d5c94a14bcfd4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
InstallMonster
Score:
0.40
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Ping_Del_method_bin_mem |
|---|---|
| Author: | James_inthe_box |
| Description: | cmd ping IP nul del |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
No further information available
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
2) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
3) [B0012.001] Anti-Static Analysis::Argument Obfuscation
4) [F0002.002] Collection::Polling
6) [C0027.002] Cryptography Micro-objective::Blowfish::Encrypt Data
7) [C0027.006] Cryptography Micro-objective::HC-128::Encrypt Data
8) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
9) [C0028.002] Cryptography Micro-objective::RC4 KSA::Encryption Key
10) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
11) [C0021] Cryptography Micro-objective::Generate Pseudo-random Sequence
12) [C0019] Data Micro-objective::Check String
13) [C0032.001] Data Micro-objective::CRC32::Checksum
14) [C0060] Data Micro-objective::Compression Library
15) [C0026.001] Data Micro-objective::Base64::Encode Data
16) [C0026.002] Data Micro-objective::XOR::Encode Data
19) [C0046] File System Micro-objective::Create Directory
20) [C0048] File System Micro-objective::Delete Directory
21) [C0047] File System Micro-objective::Delete File
22) [C0049] File System Micro-objective::Get File Attributes
23) [C0051] File System Micro-objective::Read File
24) [C0050] File System Micro-objective::Set File Attributes
25) [C0052] File System Micro-objective::Writes File
26) [E1510] Impact::Clipboard Modification
27) [C0007] Memory Micro-objective::Allocate Memory
28) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
29) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
30) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
31) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
32) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
33) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
34) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
35) [C0017] Process Micro-objective::Create Process
36) [C0038] Process Micro-objective::Create Thread
37) [C0054] Process Micro-objective::Resume Thread
38) [C0041] Process Micro-objective::Set Thread Local Storage Value
39) [C0055] Process Micro-objective::Suspend Thread
40) [C0018] Process Micro-objective::Terminate Process