MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
SHA3-384 hash: d55ed2f3be1abe92999a225201a40b76153cd0ec9c2790f9d8489c64b11d8e4a8eba06fac1149b44c177c83fbe8df907
SHA1 hash: 080ba6dfd4cba6585ae31b54252f91bbff92a94c
MD5 hash: 7a7c959cb5af11850e8cf3a9a708ab73
humanhash: idaho-orange-low-alaska
File name:035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:653'608 bytes
First seen:2020-11-01 10:29:45 UTC
Last seen:2020-11-01 13:09:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RUxO6X60Qk3oxHFMMVzLtqe/ObF1O99iAQ1S/Sahs9CiZ3:Rx6Xn+znVvtqiOx1O99iAKS/upZ3
Threatray 10 similar samples on MalwareBazaar
TLSH E4D4BF3533646FA6F07D933A911444059BF2BC97F361E689BDB510EA09E0F814B72BE2
Reporter JAMESWT_WT
Tags:RemoteManipulator signed THRANE AGENTUR ApS

Code Signing Certificate

Organisation:THRANE AGENTUR ApS
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-10-22T00:00:00Z
Valid to:2021-10-22T23:59:59Z
Serial number: ece6cbf67dc41635a5e5d075f286af23
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: f1f83c96ab00dcb70c0231d946b6fbd6a01e2c94e8f9f30352bbe50e89a9a51c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
JAMESWT_WT
THRANE AGENTUR ApS

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81644/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.26650.9622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin xRAT Amadey
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/517714
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to inject code into remote processes
Detected xRAT
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Yara detected Amadey\'s stealer DLL
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 307960 Sample: uybfgaWOp3 Startdate: 01/11/2020 Architecture: WINDOWS Score: 100 93 vipmen.hldns.ru 2->93 95 rms-server.tektonit.ru 2->95 97 SMTP.yandex.ru 2->97 113 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->113 115 Antivirus detection for dropped file 2->115 117 Multi AV Scanner detection for dropped file 2->117 119 10 other signatures 2->119 13 uybfgaWOp3.exe 3 2->13         started        17 gbudn.exe 2 2->17         started        19 gbudn.exe 2->19         started        signatures3 process4 file5 83 C:\Users\user\AppData\...\uybfgaWOp3.exe.log, ASCII 13->83 dropped 135 Contains functionality to inject code into remote processes 13->135 137 Injects a PE file into a foreign processes 13->137 21 uybfgaWOp3.exe 4 13->21         started        24 gbudn.exe 17->24         started        26 gbudn.exe 19->26         started        signatures6 process7 file8 79 C:\ProgramData\78b6645ac6\gbudn.exe, PE32 21->79 dropped 28 gbudn.exe 3 21->28         started        process9 signatures10 133 Multi AV Scanner detection for dropped file 28->133 31 gbudn.exe 22 28->31         started        process11 dnsIp12 107 62.113.112.103, 49714, 49715, 49738 VDSINA-ASRU Russian Federation 31->107 109 94.140.114.106, 49713, 49728, 49743 NANO-ASLV Latvia 31->109 111 d.indacloud.in 107.152.41.148, 49716, 80 TZULOUS United States 31->111 71 C:\Users\user\AppData\Local\...\cred[1].dll, PE32 31->71 dropped 73 C:\Users\user\AppData\Local\...\scr[1].dll, PE32 31->73 dropped 75 C:\ProgramData\78b6645ac6\scr.dll, PE32 31->75 dropped 77 3 other files (1 malicious) 31->77 dropped 35 rundll32.exe 31->35         started        39 st.exe 2 31->39         started        42 rundll32.exe 31->42         started        44 3 other processes 31->44 file13 process14 dnsIp15 99 107.152.39.148, 80 TZULOUS United States 35->99 101 107.152.41.71, 49726, 80 TZULOUS United States 35->101 103 192.168.2.5, 443, 49673, 49674 unknown unknown 35->103 125 System process connects to network (likely due to code injection or exploit) 35->125 127 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->127 129 Tries to steal Instant Messenger accounts or passwords 35->129 131 2 other signatures 35->131 81 C:\Users\user\AppData\Local\Temp\...\st.tmp, PE32 39->81 dropped 46 st.tmp 39->46         started        49 conhost.exe 44->49         started        file16 signatures17 process18 file19 85 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 46->85 dropped 87 C:\ProgramData\Immunity\is-QBHBD.tmp, PE32 46->87 dropped 89 C:\ProgramData\Immunity\is-9EB4H.tmp, PE32 46->89 dropped 91 2 other files (none is malicious) 46->91 dropped 51 cmd.exe 46->51         started        54 cmd.exe 46->54         started        process20 signatures21 121 Uses ping.exe to sleep 51->121 56 PING.EXE 51->56         started        59 conhost.exe 51->59         started        61 find.exe 51->61         started        123 Very long command line found 54->123 63 conhost.exe 54->63         started        65 reg.exe 54->65         started        67 timeout.exe 54->67         started        69 4 other processes 54->69 process22 dnsIp23 105 Ping-ip.hldns.ru 185.220.101.203 ASMKNL Germany 56->105
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 19:45:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=anngfsnbgf3hkw56l2qntsfgbhe7en5g4cxycgv3sngkqzkow5jq._file
Verdict:
suspicious
Similar samples:
03a7c8a4e67e6739db52502fb4babb8421059e3269610dbec749b3f0aa4a4641
RemoteManipulator
11b82240c0a2fbb5f71aefab2266d18d28746ffc267b585f72498006a57aa6bd
RemoteManipulator
363f1e19af5976e6c19e76c71e98c405b227938e261beb7e2a0bcc27e4a44be7
RemoteManipulator
60d5a2df12e7d3ec47a29b7f1d2faeaa078f89cc3ec6da3965a14a6c1c11de74
RemoteManipulator
9866933cc0ecf8e3ddfa7ce79cdbc70b16efbe819a2426ffa28d923a12c0653a
RemoteManipulator
b2b25365ac3fab2649ba188a0c113a558686c049d89bb4b8f3d7439a6e6732c0
RemoteManipulator
cea813cbef6581e0c95aacb2e747f5951325444b941e801164154917a17bfe71
RemoteManipulator
e4179e2d5b9c04e7a59bf9b063c006f5695b5ec90600833006d38129ad0a48a6
RemoteManipulator
e5262c52f747de4318e3f5b44b78a822ba0a4ea667ccdcf811f5e52cb6742327
RemoteManipulator
fc243975dc04f097ddfbaf8f3245cd17b7967811b97c926fff0c52749e844480
RemoteManipulator
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/201101-m618fj7q9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Drops file in System32 directory
JavaScript code in executable
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Blacklisted process makes network request
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
ecca2732fd69f3522f32055a92d48f0c751760fb9c977af8ee2c44d39bf0068f
MD5 hash:
507e8b6d02cd0e129df02be4e7373ff7
SHA1 hash:
3afa50930272ca45ccece0858a5141237f92ed2f
Link:
https://www.unpac.me/results/97a7b926-060d-4c62-8ab0-a6766b044624/
SH256 hash:
ff66c4920827e641d823b942d2e05e21df8e9c5884b0638fbede130a8cdfad7a
MD5 hash:
bc0597d8443aaa7d8e2383e2609a315c
SHA1 hash:
b29e1014dd04b71dd630fcf1c716dfa2c65fc003
Link:
https://www.unpac.me/results/97a7b926-060d-4c62-8ab0-a6766b044624/
SH256 hash:
3327ffcfbb943edebfbd09895030bdb415acc77abf2973514936421992464806
MD5 hash:
7d47478fcfc40cfd402c69200e13ee8d
SHA1 hash:
b92d20624d46eef0067342d5622f2fb30694a9b1
Link:
https://www.unpac.me/results/97a7b926-060d-4c62-8ab0-a6766b044624/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/97a7b926-060d-4c62-8ab0-a6766b044624/
SH256 hash:
035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753
MD5 hash:
7a7c959cb5af11850e8cf3a9a708ab73
SHA1 hash:
080ba6dfd4cba6585ae31b54252f91bbff92a94c
Link:
https://www.unpac.me/results/97a7b926-060d-4c62-8ab0-a6766b044624/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/035a62c9a13176755bbe5ea0d9c8a609c9f237a6e0af811abb934ca8654eb753

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/81644/

Comments