MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
SHA3-384 hash: e74226fbceee63ca3e9efad8825c04ba167821e021a2a834188adbf76bbfbed00a87e161554cb727951cae6ed8440118
SHA1 hash: 277e0102912b3fe731cd1b368c78561dd778b67b
MD5 hash: 4e73334c47588a717aaba82221d73b22
humanhash: salami-september-lake-angel
File name:16628199eb5c93f78f0fcc61725517dc5946d7a8b5261.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'829'448 bytes
First seen:2021-08-11 18:06:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 98304:RFR+Y7/Z//wEf9S8by+ay4r8Y3g/avdC220KrAsTgokaC:9B7B3wEf9nby+54x3g/alryAKgDaC
Threatray 90 similar samples on MalwareBazaar
TLSH T1CB26337235C0C832E2262530C5B9AA51AA35F672A7B10607F7517F2E6FB456EC722F43
dhash icon a6a2e3e3e3a3a200 (5 x RedLineStealer, 4 x RemoteManipulator, 2 x Formbook)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
182.93.93.132:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
182.93.93.132:5655 https://threatfox.abuse.ch/ioc/171975/

Intelligence

File Origin
# of uploads :
1
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178357/
Detection(s):
Win.Malware.Dynamer-7194904-0
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a service
Launching a service
Connection attempt
Sending a custom TCP request
Sending a UDP request
Launching a tool to kill processes
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5868aef0-debe-4b0e-9d3d-99a34209aa6b
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/831169
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 463600 Sample: 16628199eb5c93f78f0fcc61725... Startdate: 11/08/2021 Architecture: WINDOWS Score: 84 54 Multi AV Scanner detection for submitted file 2->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->56 8 16628199eb5c93f78f0fcc61725517dc5946d7a8b5261.exe 3 16 2->8         started        11 xpsrchv.exe 2->11         started        14 svchost.exe 2->14         started        17 8 other processes 2->17 process3 dnsIp4 40 C:\Windows\ehome\ASCON\xpsrchv.exe, PE32 8->40 dropped 42 C:\Windows\ehome\ASCON\WUDLicense.exe, PE32 8->42 dropped 44 C:\Windows\ehome\ASCON\drv_set.reg, Windows 8->44 dropped 46 5 other files (none is malicious) 8->46 dropped 19 wscript.exe 1 8->19         started        48 182.93.93.132, 49726, 49732, 5655 SUBISU-CABLENET-AS-APSubisuCablenetPvtLtdBaluwatar Nepal 11->48 50 192.168.2.1 unknown unknown 11->50 21 WUDLicense.exe 11->21         started        24 WUDLicense.exe 11->24         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 14->70 52 127.0.0.1 unknown unknown 17->52 file5 signatures6 process7 signatures8 26 cmd.exe 1 19->26         started        58 Antivirus detection for dropped file 21->58 60 Multi AV Scanner detection for dropped file 21->60 62 Machine Learning detection for dropped file 21->62 64 Drops executables to the windows directory (C:\Windows) and starts them 21->64 29 WUDLicense.exe 21->29         started        process9 signatures10 66 Drops executables to the windows directory (C:\Windows) and starts them 26->66 68 Uses regedit.exe to modify the Windows registry 26->68 31 xpsrchv.exe 26->31         started        34 taskkill.exe 1 26->34         started        36 taskkill.exe 1 26->36         started        38 14 other processes 26->38 process11 signatures12 72 Machine Learning detection for dropped file 31->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6/
Threat name:
Win32.Hacktool.Remoteadmin
Create hunting rule
Status:
Malicious
First seen:
2021-08-08 16:10:43 UTC
AV detection:
21 of 27 (77.78%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czridgpllsj7pdypzrqxevix3rmunv5iwutbth5ofrvcuvsldtda._file
Verdict:
malicious
Similar samples:
27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7
RemoteManipulator
2d40a6c3d1200616055b55031daa8a6b010b3c99219f6b6da87bcd2b2f27d6c2
RemoteManipulator
57933bc5c60de83fddbc7a2c6522e6481c9e684e342fed86a4c38bf08c4a6b0f
RemoteManipulator
5ade1071b7d6a1abe0b851d953fe1571f7372bce3d48f0adedfbbecd02c512c6
RemoteManipulator
73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2
RemoteManipulator
88ea963a97bd21ea3a83c74c5b2a103802b4b94882681c6f36913805c66b0383
RemoteManipulator
a6d3f74228ee18a19579010cd5fe3cc98f2c53dc43452325ba57a69f1253d7a5
RemoteManipulator
f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c
RemoteManipulator
fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d
RemoteManipulator
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion upx
Link:
https://tria.ge/reports/210811-yga8qhfm4e/
Behaviour
Kills process with taskkill
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Loads dropped DLL
Executes dropped EXE
Sets file to hidden
Stops running service(s)
UPX packed file
Unpacked files
SH256 hash:
f0b2d1a4cf672a00cb7949a7f79833435a72bc07ef9b07336fd53e01b8d856cf
MD5 hash:
fd31a144bde071947c80f3dd6eba91d7
SHA1 hash:
de1ab4b859b9384142130e7346485eda776c6fa0
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/4487ec2a-6149-4aa4-9b21-b2d461f8f568/
SH256 hash:
16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
MD5 hash:
4e73334c47588a717aaba82221d73b22
SHA1 hash:
277e0102912b3fe731cd1b368c78561dd778b67b
Link:
https://www.unpac.me/results/4487ec2a-6149-4aa4-9b21-b2d461f8f568/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/178357/

Comments