MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 13


Intelligence 13 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00
SHA3-384 hash: 37265ad714bdd91ada99253f9472520a20cb5d61d096e4361a6f743be8104cda8e47350f6ed83a7f0f077a905bf9c1c6
SHA1 hash: cd61ac9b755439c1d8e7116b344a04a745a9aaeb
MD5 hash: 856e0406d6986ce8c0c544baa88a1409
humanhash: east-bluebird-fifteen-violet
File name:856E0406D6986CE8C0C544BAA88A1409.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:20'325'104 bytes
First seen:2024-03-06 11:22:12 UTC
Last seen:2024-03-06 13:32:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2adaf9422c8d5596ce912860ce76592 (5 x RemoteManipulator)
ssdeep 393216:KNKczZvLdLd8gBsuTlicKzB/xONCdfQt4qxT:GKczRdLdlBsylicKzBYCdM4qR
TLSH T1C9271253FB84AD3ED4AF1B364477891C9D3BBF5166164E0A27F46C0C8E365802A3F686
TrID 47.9% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
34.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.7% (.EXE) Win32 Executable (generic) (4504/4/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c0dacabacac0c244 (20 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
178.238.112.11:56555

Intelligence

File Origin
# of uploads :
2
# of downloads :
467
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00.exe
Verdict:
Malicious activity
Analysis date:
2024-03-06 11:28:09 UTC
Tags:
rat rms
Link:
https://app.any.run/tasks/515357c8-49d1-4b1d-9a7b-8ad364f3580f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Tool.RemoteControl.20.24116.20580.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a service
Launching a service
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
91%
Tags:
fingerprint keylogger lolbin msiexec overlay packed remote remotecontrol
Link:
https://www.filescan.io/uploads/65e8521883aa71d5c145cff6/reports/47c5abd4-ce49-4b4e-ad73-95057a4a6dc9/overview
Verdict:
Malicious
Labled as:
Backdoor.RABased
Link:
https://www.hybrid-analysis.com/sample/18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00
Result
Verdict:
MALICIOUS
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1403964
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1403964 Sample: GkLbUGixzx.exe Startdate: 06/03/2024 Architecture: WINDOWS Score: 76 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Machine Learning detection for sample 2->51 7 msiexec.exe 109 117 2->7         started        11 rutserv.exe 9 12 2->11         started        14 GkLbUGixzx.exe 5 2->14         started        process3 dnsIp4 33 C:\Program Files (x86)\...\lockscr.sys, PE32 7->33 dropped 35 C:\Program Files (x86)\...\lockscr.sys, PE32 7->35 dropped 37 C:\Program Files (x86)\...\lockscr.sys, PE32+ 7->37 dropped 39 46 other files (1 malicious) 7->39 dropped 53 Sample is not signed and drops a device driver 7->53 16 rutserv.exe 2 7->16         started        19 rutserv.exe 2 7->19         started        21 rutserv.exe 2 7->21         started        29 2 other processes 7->29 41 178.238.112.11, 49740, 49741, 49746 MASTERTEL-ASMoscowRussiaRU Russian Federation 11->41 23 rfusclient.exe 11->23         started        25 rfusclient.exe 11->25         started        27 msiexec.exe 14->27         started        file5 signatures6 process7 signatures8 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->43 31 rfusclient.exe 23->31         started        process9
Score:
73%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00
Gathering data
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2024-02-29 13:31:46 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcmqz7byarhdxygzktv7zjwnbbaeuz4ed5eksvaouu4x464d7maa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240306-ng5lnaag66/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Blocklisted process makes network request
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18990cfc3804/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Windows_Trojan_Remotemanipulator_9ec52153
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
shell32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::CreateProcessW
KERNEL32.DLL::OpenProcess
KERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::LoadLibraryExW
KERNEL32.DLL::LoadLibraryW
KERNEL32.DLL::GetDriveTypeW
KERNEL32.DLL::GetVolumeInformationW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::GetConsoleOutputCP
KERNEL32.DLL::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CreateDirectoryW
KERNEL32.DLL::CreateFileW
KERNEL32.DLL::CreateFileMappingW
KERNEL32.DLL::DeleteFileW
KERNEL32.DLL::GetFileAttributesW
KERNEL32.DLL::FindFirstFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.DLL::QueryDosDeviceW
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegConnectRegistryW
advapi32.dll::RegCreateKeyExW
advapi32.dll::RegDeleteKeyW
advapi32.dll::RegLoadKeyW
advapi32.dll::RegOpenKeyExW
advapi32.dll::RegOpenKeyExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::EmptyClipboard
user32.dll::FindWindowExW
user32.dll::FindWindowW
user32.dll::OpenClipboard

Comments