MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
SHA3-384 hash: 0f567591fe02f4995516cf38dd7b938076c50688ced2f6904a6b3aa722bf04028e81bffaf71b7f090ae29e05736192f2
SHA1 hash: 14ea975495bb13ad416f31687834330ad90d600b
MD5 hash: acb268b8a6ca42008a629cadddc87207
humanhash: crazy-south-kentucky-timing
File name:pass.bin
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:9'115'877 bytes
First seen:2021-02-23 08:17:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f38416762c94d29a8bc2c6865d1c9f2 (4 x RemoteManipulator)
ssdeep 196608:i+Cvx+UaVrcYF6nP66ZVazTaeiPL2iSCi60hj3l2:ijVsIYFBgVauPKiS76qrl2
Threatray 10 similar samples on MalwareBazaar
TLSH 1096330699A28A37EB364C750AF90B10872EB86B9C65705D1B9E5E4D0FDF8E05CC5B33
Reporter JAMESWT_WT
Tags:exe Remote Manipulator System RemoteManipulator

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
Verdict:
Malicious activity
Analysis date:
2021-02-23 08:14:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/445092e4-2424-467c-bbb8-2443b80f71d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118548/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file
Moving a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Sending a UDP request
Adding a root certificate
Creating a service
Launching a service
Deleting a recently created file
DNS request
Sending a custom TCP request
Enabling autorun for a service
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/615035
Signature
Antivirus detection for dropped file
Installs new ROOT certificates
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356526 Sample: pass.bin Startdate: 23/02/2021 Architecture: WINDOWS Score: 80 58 zen.hldns.ru 2->58 60 smtp.yandex.ru 2->60 72 Antivirus detection for dropped file 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 2 other signatures 2->78 9 pass.exe 2 2->9         started        12 rutserv.exe 6 2->12         started        16 svchost.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 56 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 9->56 dropped 20 pass.tmp 5 24 9->20         started        62 zen.hldns.ru 185.220.102.6, 49740, 49742, 49745 ZWIEBELFREUNDEAT Germany 12->62 64 smtp.yandex.ru 77.88.21.158, 49748, 49755, 49765 YANDEXRU Russian Federation 12->64 86 Query firmware table information (likely to detect VMs) 12->86 23 rfusclient.exe 12->23         started        26 rfusclient.exe 12->26         started        66 192.168.2.1 unknown unknown 16->66 68 127.0.0.1 unknown unknown 18->68 file6 signatures7 process8 file9 48 C:\ProgramData\Immunity\is-A7N39.tmp, PE32 20->48 dropped 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->50 dropped 52 C:\ProgramData\Immunity\is-UJDOI.tmp, PE32 20->52 dropped 54 3 other files (none is malicious) 20->54 dropped 28 cmd.exe 1 20->28         started        30 cmd.exe 1 20->30         started        84 Query firmware table information (likely to detect VMs) 23->84 32 rfusclient.exe 23->32         started        signatures10 process11 signatures12 35 rutserv.exe 4 28->35         started        38 rutserv.exe 1 2 28->38         started        40 rutserv.exe 2 28->40         started        46 2 other processes 28->46 42 regedit.exe 8 30->42         started        44 conhost.exe 30->44         started        70 Query firmware table information (likely to detect VMs) 32->70 process13 signatures14 80 Query firmware table information (likely to detect VMs) 35->80 82 Installs new ROOT certificates 46->82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=basm4y6dmfqw75i5uxpmev3dvikm6v5vpfawmf7dwm4q7yi4tlqq._file
Verdict:
suspicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73
RemoteManipulator
8f4d63fea00eca6d91147de6a10b7aae6069f164ef00d5986eff571249552dae
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
RemoteManipulator
e5f575d9223be5a7a825f598e21b5ec4475ea6a9d58ad0e87932a57768908027
RemoteManipulator
ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-x9qpg978s6/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
30ad56af1ee14976920a64e41705ba63f51b047a8d439418a024121dd0b9b448
MD5 hash:
dfe630c2db0c5cba8a68522129c15b57
SHA1 hash:
7c386a3891cce329010353af28ac23d558ae2fa7
Detections:
win_danabot_a1
Create hunting rule
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
SH256 hash:
49ff3ae91dc26a83ed1543e36850dc419a0dcbb864567d186e84960e93366952
MD5 hash:
923b5f04beabf427dc1ab4e4d1147e0a
SHA1 hash:
8537fdc1ae17269fa55a980fac02a55a56f7da14
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
SH256 hash:
b382e9476a264a39de39de87f22397773400caa7d2f88db9c7cf5c342e392dfa
MD5 hash:
7f6ffbcd69c02754f76b60121b76ff6c
SHA1 hash:
210616fc2f91d49739a159ce17aade4681536518
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
SH256 hash:
069d7434cfb05dd3fec87fdee5f3e4dd5dd16356cc4c4822e926c5965e579e47
MD5 hash:
d52d98138ee04120a1746e46d70d093e
SHA1 hash:
0e76a0782a9f519f4608ecfb37fdf1e023d27aa1
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
SH256 hash:
5f54a066298ba1d6460f900d457e21e4088d7b9f2f6c9e5ad5ead89557fed973
MD5 hash:
5bd59e7bed5e13c18deef83f5c9cf465
SHA1 hash:
c2673243b8dce8512c2922afd43a0b5d47755b82
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
SH256 hash:
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
MD5 hash:
acb268b8a6ca42008a629cadddc87207
SHA1 hash:
14ea975495bb13ad416f31687834330ad90d600b
Link:
https://www.unpac.me/results/5606da92-b155-4392-97c1-31ccfad6ac1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/118548/

Comments