MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18ccca8cb507a80d437a22ef4d071707986dd6df3afe270bc46969249bb7b19e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18ccca8cb507a80d437a22ef4d071707986dd6df3afe270bc46969249bb7b19e
SHA3-384 hash: ad140a5457a9e6a6eabd564d11e6af6cb43416bf09d5f7e87421b7b78845b0586d7311adff54dcb398e0fa05cc3767c4
SHA1 hash: 4e8029c21b52a282c79472b30e324e0c8f31d2d6
MD5 hash: c91241304c61f76067d075b7e7068060
humanhash: maryland-pennsylvania-berlin-twenty
File name:18CCCA8CB507A80D437A22EF4D071707986DD6DF3AFE2.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:5'100'701 bytes
First seen:2021-11-07 16:31:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ce272c19b56582061e78de117f2a83b (1 x RemoteManipulator)
ssdeep 98304:9t8jzMzVjIluUSKoQ5qwMUU2ODvQoHOnsrhfOF3xjsTyyq:9CzgcluUbnUrzunsr43xs+F
Threatray 2 similar samples on MalwareBazaar
TLSH T1E136334E26277640DE03DE386DBFF19AB034682F4D38FA18B4345F7A33E08B55A65952
File icon (PE):PE icon
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
95.213.205.82:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.213.205.82:5655 https://threatfox.abuse.ch/ioc/244879/

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
VMProtectStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/203064/
Detection(s):
Win.Packed.njRAT-7136186-0
Create hunting rule

Win.Malware.Coinminer-6821120-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer njrat overlay packed
Link:
https://www.filescan.io/uploads/6187ff85d8143ea269cdeaf4/reports/e4e213e6-c64b-4d44-ae03-43062eb8140f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae916e11-222c-4b46-9d0e-61c387e08fe4
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884829
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected VMProtect packer
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Sample is protected by VMProtect
Sigma detected: Suspicious Compression Tool Parameters
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517287 Sample: 18CCCA8CB507A80D437A22EF4D0... Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 72 Antivirus detection for dropped file 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for dropped file 2->76 78 7 other signatures 2->78 11 18CCCA8CB507A80D437A22EF4D071707986DD6DF3AFE2.exe 3 7 2->11         started        15 svchost.exe 2->15         started        17 svchost.exe 2->17         started        20 9 other processes 2->20 process3 dnsIp4 54 C:\log\Rar.exe, PE32 11->54 dropped 56 C:\log\pause.bat, DOS 11->56 dropped 82 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->82 84 Tries to evade analysis by execution special instruction which cause usermode exception 11->84 22 wscript.exe 1 11->22         started        86 Changes security center settings (notifications, updates, antivirus, firewall) 15->86 24 MpCmdRun.exe 15->24         started        68 192.168.2.1 unknown unknown 17->68 file5 signatures6 process7 process8 26 cmd.exe 1 22->26         started        29 conhost.exe 24->29         started        signatures9 80 Uses regedit.exe to modify the Windows registry 26->80 31 RiMS.exe 12 26->31         started        35 Rar.exe 5 26->35         started        37 taskkill.exe 1 26->37         started        39 6 other processes 26->39 process10 file11 58 C:\rutserv.exe, PE32 31->58 dropped 60 C:\rfusclient.exe, PE32 31->60 dropped 62 C:\vp8encoder.dll, PE32 31->62 dropped 64 C:\vp8decoder.dll, PE32 31->64 dropped 70 Multi AV Scanner detection for dropped file 31->70 41 wscript.exe 1 31->41         started        66 C:\log\RiMS.exe, PE32 35->66 dropped signatures12 process13 process14 43 cmd.exe 41->43         started        process15 45 rutserv.exe 43->45         started        48 conhost.exe 43->48         started        50 taskkill.exe 43->50         started        52 6 other processes 43->52 signatures16 88 Antivirus detection for dropped file 45->88 90 Multi AV Scanner detection for dropped file 45->90 92 Detected unpacking (changes PE section rights) 45->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18ccca8cb507a80d437a22ef4d071707986dd6df3afe270bc46969249bb7b19e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-01-15 23:48:56 UTC
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddgmvdfva6ua2q32elxu2byxa6mg3vw7hl7coc6enfusjg5xwgpa._file
Verdict:
malicious
Similar samples:
16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
RemoteManipulator
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms aspackv2 rat trojan upx vmprotect
Link:
https://tria.ge/reports/211107-t1yv4saeg2/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
VMProtect packed file
ACProtect 1.3x - 1.4x DLL software
RMS
Unpacked files
SH256 hash:
3dc74e705d8038a9bcc52fc7099ea2c2b270f6d9b8ee6478cc33fe5ed0717de4
MD5 hash:
a93ae771af3608677d1b2d3405ff9886
SHA1 hash:
ead46bad24d93b5d910332ad93ad45a835c61f06
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
SH256 hash:
d5792b61a53b200c09e01fbf3e482ba72a7da579075636ef9a6f48e36e5dd1d1
MD5 hash:
1a56df34dfa28902f25ee813dc9f9ccb
SHA1 hash:
bdcd9c3b5121938e97211068343a763a59f85ec8
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
SH256 hash:
fbf3876ffa998db37a2acd2712b2349f3c72b26c58c60c907dd48730ee7897a9
MD5 hash:
453f0a0b6c844c9a61b6cabf612341e5
SHA1 hash:
0557d7557eb28c6a0f942a1b8441e6921411e874
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
SH256 hash:
a9bba28986947245216c1e81f6d58dab1245d9586e9d4a10f606de27f7a04dfe
MD5 hash:
07743ea5cc1dfa6cbf519a31a5193ccd
SHA1 hash:
638b78ca562ae0d7963fb77eec52d570a73cd3e5
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
SH256 hash:
0dd06f690d9cb54703d7ce0851937a3f475cc196d15c139abc79b0f27cac8dd1
MD5 hash:
1686fc5fa0d969ffed3ae96e7c549989
SHA1 hash:
a4d357cfd19774bd1a93687246380cb8cec73ff6
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
SH256 hash:
18ccca8cb507a80d437a22ef4d071707986dd6df3afe270bc46969249bb7b19e
MD5 hash:
c91241304c61f76067d075b7e7068060
SHA1 hash:
4e8029c21b52a282c79472b30e324e0c8f31d2d6
Link:
https://www.unpac.me/results/b5d04bf8-7e28-4dbd-b227-db747d87c1a3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18ccca8cb507a80d437a22ef4d071707986dd6df3afe270bc46969249bb7b19e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_Packed_ASPack
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ASPack
Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_EXE_PE_ResourceTuner
Create hunting rule
Author:ditekSHen
Description:Detects executables with modified PE resources using the unpaid version of Resource Tuner
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203064/

Comments