MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc
SHA3-384 hash: 905feb386dfc1672276595f61fbf9679dcfd82c0d379f414eaab4698bcee9d57a396eb73cba32b7375d62f57e68bfb43
SHA1 hash: 0435a1f62a49a630b01a8e97f0cc6bc7e5e70b58
MD5 hash: c8adfc67cd1224dfea6bd5a22a091c60
humanhash: failed-beer-low-emma
File name:SecuriteInfo.com.Win32.Malware-gen.25970.5981
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:8'791'817 bytes
First seen:2024-09-15 17:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2fb819a19fe4dee5c03e8c6a79342f79 (56 x Adware.InstallCore, 8 x RedLineStealer, 7 x Adware.ExtenBro)
ssdeep 196608:k6XlNPkHcYjvUF18GaeW2knUSvc+jkKW2s9q2yboug:k6XI8YzvGq2KUT+jL5s9Coug
Threatray 82 similar samples on MalwareBazaar
TLSH T14396338106516143FD8414FD0BABE129EC762AD63A39DC3D798F9D0FBF1B78816162E8
TrID 76.2% (.EXE) Inno Setup installer (107240/4/30)
10.0% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random[1].exe
Verdict:
Malicious activity
Analysis date:
2024-09-14 16:04:55 UTC
Tags:
amadey botnet stealer loader rat rms themida
Link:
https://app.any.run/tasks/e3a3fb35-7ba7-4b45-9515-c3a0f5720c8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.25970.5981.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e718b771e91b3281b9ff1a
Tags:
Encryption Static Stealth Trojan Agent
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin overlay packed setupapi shell32
Link:
https://www.filescan.io/uploads/66e718b2bb9fe02b41b3f5a5/reports/935aaf1b-292d-4138-b9f1-e7395ac66e86/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/58bb3b37-fcb9-4073-b044-0be0c31f3b69
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1511567
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates processes via WMI
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes or reads registry keys via WMI
Writes registry values via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1511567 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 15/09/2024 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 2 other signatures 2->83 10 SecuriteInfo.com.Win32.Malware-gen.25970.5981.exe 2 2->10         started        13 Silverlight.Configuration.exe 2->13         started        process3 file4 49 SecuriteInfo.com.W...-gen.25970.5981.tmp, PE32 10->49 dropped 16 SecuriteInfo.com.Win32.Malware-gen.25970.5981.tmp 3 29 10->16         started        93 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 13->93 20 WidgetService.exe 5 58 13->20         started        signatures5 process6 file7 41 C:\Users\user\AppData\Local\...\ssleay32.dll, PE32 16->41 dropped 43 C:\Users\user\AppData\Local\...\msimg32.dll, PE32 16->43 dropped 45 C:\Users\user\AppData\Local\...\libeay32.dll, PE32 16->45 dropped 47 8 other files (7 malicious) 16->47 dropped 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->65 67 Creates processes via WMI 16->67 69 Writes or reads registry keys via WMI 16->69 71 Writes registry values via WMI 16->71 22 Silverlight.Configuration.exe 16->22         started        25 WmiPrvSE.exe 1 16->25         started        73 Query firmware table information (likely to detect VMs) 20->73 75 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->75 signatures8 process9 signatures10 85 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->85 27 WidgetService.exe 10 3 22->27         started        process11 dnsIp12 59 127.0.0.1 unknown unknown 27->59 87 Multi AV Scanner detection for dropped file 27->87 89 Query firmware table information (likely to detect VMs) 27->89 91 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 27->91 31 cmd.exe 1 27->31         started        35 rundll32.exe 27->35         started        signatures13 process14 file15 51 C:\...\ssleay32.dll.2556803485.bak (copy), PE32 31->51 dropped 53 C:\...\msimg32.dll.2556803485.bak (copy), PE32 31->53 dropped 55 C:\...\libeay32.dll.2556803485.bak (copy), PE32 31->55 dropped 57 2 other malicious files 31->57 dropped 61 Uses ping.exe to sleep 31->61 63 Uses ping.exe to check the status of other devices and networks 31->63 37 conhost.exe 31->37         started        39 PING.EXE 1 31->39         started        signatures16 process17
Score:
18%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-14 00:26:17 UTC
File Type:
PE (Exe)
Extracted files:
565
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bidkexx3dx7kstrebfxwjnamyntb56l2bxqzj7md2lfi3grwjdga._file
Verdict:
unknown
Similar samples:
367912a0bf91ea74f523407c928501623370e8a282dc5d67c4d218e16febe097
RemoteManipulator
4274c60854fb60d5df67fd4da81308a9174c9829188d6490c81f3c33825457f7
RemoteManipulator
4f89cc5154e6edba948dde6b961f167634f3da73cff13fb04d08028cf2c2fbbd
RemoteManipulator
77093b2d44c773f797df0a3bc7002cbc1bbe4d4c9e10180ea6c630304b84c7cc
RemoteManipulator
9c444ed6189f0f75f6f72e762fa10321fddf22d9480e87ed22f437693b724c87
RemoteManipulator
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240915-vzwj2avflm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2e914c2c-546a-4071-aa62-73129a7cf5ce
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/de366ba4-ab52-4ced-ad3b-afb09fb90f6e/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/de366ba4-ab52-4ced-ad3b-afb09fb90f6e/
SH256 hash:
6ae31c22796135761f20de6df2b29034438821ee51c75245247d7a9f01a7cdcd
MD5 hash:
7e004d5dbb0559ad023d651b9acf885e
SHA1 hash:
e901b8bd723160e7f2548bac6a3ce9cd842d7a9b
Link:
https://www.unpac.me/results/de366ba4-ab52-4ced-ad3b-afb09fb90f6e/
SH256 hash:
0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc
MD5 hash:
c8adfc67cd1224dfea6bd5a22a091c60
SHA1 hash:
0435a1f62a49a630b01a8e97f0cc6bc7e5e70b58
Link:
https://www.unpac.me/results/de366ba4-ab52-4ced-ad3b-afb09fb90f6e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0a06a25efb1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 0a06a25efb1dfea94e24096f64b40cc3661ef97a0de194fd83d2ca8d9a3648cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3174521/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CreateProcessA
advapi32.dll::OpenProcessToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account Informationadvapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments