MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
SHA3-384 hash: b290d1ea8a57df8fc36e06d7422b9ee3eb01176e47df0435320474e712bbb27790783d5c175af89c635e7230627a68c9
SHA1 hash: 2e72856da91bde014732628119407d637c97a283
MD5 hash: 1e949d5238fbf2ade45c91bb54de22ea
humanhash: kilo-bulldog-wisconsin-lactose
File name:1e949d5238fbf2ade45c91bb54de22ea.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:605'168 bytes
First seen:2021-04-08 06:50:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash caa5e6a2892587c2324418efee31c648 (9 x RedLineStealer, 1 x RemoteManipulator, 1 x RaccoonStealer)
ssdeep 6144:Mmrb/itFCWlItHUvApF2RFj9ChhPRA1xI05Wq8nWmnxa6Trtvdxo1HdP9vYc7R56:n7iuUvUF2JcpqcqqWmomtVK19Pqcl5e
Threatray 13 similar samples on MalwareBazaar
TLSH DAD46CEB578C4487C03E4ABE606BA12B1D8AEC619D12C4475DEFFB179E39C4348ED462
Reporter abuse_ch
Tags:exe RemoteManipulator signed

Code Signing Certificate

Organisation:Google LLC
Issuer:DigiCert SHA2 Assured ID Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2018-11-07T00:00:00Z
Valid to:2021-11-17T12:00:00Z
Serial number: 0c15be4a15bb0903c901b1d6c265302f
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3ca4fc0489e3e25b1a6a8514a9486b257fd8b80b9f3181af20a34fa9ef5ab282
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RemoteManipulator C2:
194.169.163.42:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.169.163.42:5655 https://threatfox.abuse.ch/ioc/7290/

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1e949d5238fbf2ade45c91bb54de22ea.exe
Verdict:
No threats detected
Analysis date:
2021-04-08 08:45:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2e2bf20-ac20-4381-ba61-7ae06fbadba7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133035/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46028855.18637.6764.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Connecting to a non-recommended domain
Sending an HTTP POST request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/669629
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383740 Sample: ikoAImKWvI.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 94 zen.hldns.ru 2->94 124 Multi AV Scanner detection for dropped file 2->124 126 Multi AV Scanner detection for submitted file 2->126 128 .NET source code contains potential unpacker 2->128 130 3 other signatures 2->130 15 ikoAImKWvI.exe 14 2->15         started        20 svchost.exe 1 2->20         started        22 svchost.exe 1 2->22         started        24 2 other processes 2->24 signatures3 process4 dnsIp5 106 iplogger.org 88.99.66.31, 443, 49726, 49766 HETZNER-ASDE Germany 15->106 108 is.gd 104.25.233.53, 443, 49727 CLOUDFLARENETUS United States 15->108 110 3 other IPs or domains 15->110 66 C:\Users\user\AppData\...\updachrome.exe, PE32 15->66 dropped 120 Detected unpacking (changes PE section rights) 15->120 122 Sample or dropped binary is a compiled AutoHotkey binary 15->122 26 updachrome.exe 3 15->26         started        file6 signatures7 process8 file9 76 C:\Users\user\AppData\...\updachrome.exe.log, ASCII 26->76 dropped 134 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->134 136 Performs DNS queries to domains with low reputation 26->136 138 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->138 140 Injects a PE file into a foreign processes 26->140 30 updachrome.exe 17 40 26->30         started        signatures10 process11 dnsIp12 100 panenewak.xyz 5.149.255.204, 49743, 49747, 49753 HZ-NL-ASGB United Kingdom 30->100 102 52.216.145.163, 443, 49758 AMAZON-02US United States 30->102 104 5 other IPs or domains 30->104 88 C:\Users\user\AppData\Local\Temp\servs.exe, PE32 30->88 dropped 112 Tries to harvest and steal browser information (history, passwords, etc) 30->112 114 Tries to steal Crypto Currency Wallets 30->114 35 servs.exe 2 30->35         started        38 iexplore.exe 1 74 30->38         started        file13 signatures14 process15 dnsIp16 68 C:\Users\user\AppData\Local\...\servs.tmp, PE32 35->68 dropped 41 servs.tmp 35->41         started        96 iplogger.org 38->96 44 iexplore.exe 38->44         started        file17 process18 dnsIp19 70 C:\ProgramData\is-MIDTV.tmp, PE32+ 41->70 dropped 72 C:\ProgramData\is-8U390.tmp, PE32 41->72 dropped 74 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->74 dropped 47 cmd.exe 41->47         started        98 iplogger.org 44->98 file20 process21 file22 90 C:\...\PasswordOnWakeSettingFlyout.exe, PE32+ 47->90 dropped 92 C:\Windows \System32\uxtheme.dll, PE32+ 47->92 dropped 116 Drops executables to the windows directory (C:\Windows) and starts them 47->116 118 Uses regedit.exe to modify the Windows registry 47->118 51 PasswordOnWakeSettingFlyout.exe 47->51         started        53 conhost.exe 47->53         started        56 timeout.exe 47->56         started        signatures23 process24 signatures25 58 pass.exe 51->58         started        132 DLL side loading technique detected 53->132 process26 file27 78 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 58->78 dropped 61 pass.tmp 58->61         started        process28 file29 80 C:\ProgramData\Immunity\is-EF0LO.tmp, PE32 61->80 dropped 82 C:\ProgramData\Immunity\is-1O6IK.tmp, PE32 61->82 dropped 84 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 61->84 dropped 86 3 other files (none is malicious) 61->86 dropped 64 cmd.exe 61->64         started        process30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-05 16:11:18 UTC
File Type:
PE+ (Exe)
Extracted files:
54
AV detection:
18 of 48 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=afdjazdrrse3nbjtmxy4oaemolgnnipmxcffft6pqkea4oo5anma._file
Verdict:
malicious
Similar samples:
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
RemoteManipulator
0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25
RemoteManipulator
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
RemoteManipulator
2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c
RemoteManipulator
689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
RemoteManipulator
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
RemoteManipulator
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210408-2qzl8lz3cx/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
MD5 hash:
1e949d5238fbf2ade45c91bb54de22ea
SHA1 hash:
2e72856da91bde014732628119407d637c97a283
Link:
https://www.unpac.me/results/68866d4c-2d79-4445-b43c-7a8285eacf30/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_KB_CERT_0c15be4a15bb0903c901b1d6c265302f
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104217/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133035/

Comments