MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1900ff6e192b9c247c0ce261b0d99d72bcfd9af9c8a94f2b0e88871a76eb662e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1900ff6e192b9c247c0ce261b0d99d72bcfd9af9c8a94f2b0e88871a76eb662e
SHA3-384 hash: 72f172d2fd1be5dda232cba58b9c86e34b02d8c37d31735b5f89234c1cfe25a7dd49f33749b806d25de31c50e36406ac
SHA1 hash: 1f56085421306ccfdcf26604f43662e1aec9cddc
MD5 hash: c9bfc737cb069c9222294a25160ba101
humanhash: alanine-lake-coffee-solar
File name:1900FF6E192B9C247C0CE261B0D99D72BCFD9AF9C8A94.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'452'467 bytes
First seen:2021-11-07 16:41:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep 98304:vFY05+wES4mw3G6k34csV9XbB/RM2J809c4CkL8d847D79hmqElOA:F+wVpw3G6kodV7/G2qYFCkLCD6qSOA
Threatray 201 similar samples on MalwareBazaar
TLSH T1392633B2B451D4B4C9464435B9B84BB1E9FBB43019260BC7FFDAEB0C6F605D2A71A702
File icon (PE):PE icon
dhash icon cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
95.213.205.82:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.213.205.82:5655 https://threatfox.abuse.ch/ioc/244879/

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/203065/
Detection(s):
Win.Packed.njRAT-7136186-0
Create hunting rule

Win.Malware.Coinminer-6821120-0
Create hunting rule

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/618801e143a4f748091263bd/reports/8b6bd3f7-2b38-47f0-a566-47952eaa38a1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15b6b904-9962-45e0-9a5e-f7478ff8f3f0
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/884830
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Suspicious Compression Tool Parameters
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 517288 Sample: 1900FF6E192B9C247C0CE261B0D... Startdate: 07/11/2021 Architecture: WINDOWS Score: 100 71 Antivirus detection for dropped file 2->71 73 Antivirus / Scanner detection for submitted sample 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 5 other signatures 2->77 11 1900FF6E192B9C247C0CE261B0D99D72BCFD9AF9C8A94.exe 3 7 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        20 7 other processes 2->20 process3 dnsIp4 53 C:\log\Rar.exe, PE32 11->53 dropped 55 C:\log\pause.bat, DOS 11->55 dropped 22 wscript.exe 1 11->22         started        81 Changes security center settings (notifications, updates, antivirus, firewall) 14->81 24 MpCmdRun.exe 14->24         started        67 192.168.2.1 unknown unknown 17->67 file5 signatures6 process7 process8 26 cmd.exe 1 22->26         started        29 conhost.exe 24->29         started        signatures9 79 Uses regedit.exe to modify the Windows registry 26->79 31 nvidia.exe 12 26->31         started        35 Rar.exe 5 26->35         started        37 taskkill.exe 1 26->37         started        39 6 other processes 26->39 process10 file11 57 C:\Program Files\java\rutserv.exe, PE32 31->57 dropped 59 C:\Program Files\java\rfusclient.exe, PE32 31->59 dropped 61 C:\Program Files\java\vp8encoder.dll, PE32 31->61 dropped 63 C:\Program Files\java\vp8decoder.dll, PE32 31->63 dropped 69 Multi AV Scanner detection for dropped file 31->69 41 wscript.exe 1 31->41         started        65 C:\log\nvidia.exe, PE32 35->65 dropped signatures12 process13 process14 43 cmd.exe 41->43         started        process15 45 conhost.exe 43->45         started        47 taskkill.exe 43->47         started        49 taskkill.exe 43->49         started        51 6 other processes 43->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1900ff6e192b9c247c0ce261b0d99d72bcfd9af9c8a94f2b0e88871a76eb662e/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2018-06-28 03:40:28 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deap63qzfooci7am4jq3bwm5ok6p3gxzzcuu6kyorcdru5xlmyxa._file
Verdict:
malicious
Similar samples:
0d6e0121516a9a8287a887d4d0b6b9d0712c600cb097813160a73dcbf776bc03
RemoteManipulator
16628199eb5c93f78f0fcc61725517dc5946d7a8b526199fae2c6a2a564b1cc6
RemoteManipulator
27dbff4b16fa15497def710d494b48ad90c3a498c354cee50fc0e35081dcfbb7
RemoteManipulator
73acff9ea3647f699cd645b09e652ca498eea7c5cee9f3cb573afda67a0ceeb2
RemoteManipulator
b396f55b0cb17ada2fd582e0dfd39feca81ba7466c7d01cbfb19d2229a3b2993
RemoteManipulator
be79e9e636884e314d9f302c161d615348cf81d5e6020c988c37e0a541b85236
RemoteManipulator
f3d5013578835436d8cc1f82b7dcfd44e18737535f54fadcb4ea5ad18d8aee0c
RemoteManipulator
+ 191 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms aspackv2 rat trojan upx
Link:
https://tria.ge/reports/211107-t7nnqaaeh8/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies registry class
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
RMS
Unpacked files
SH256 hash:
4a7ff6b57d77fdc6ee60765c950427e2c2fcf121734a47941ecffde3a53f3c67
MD5 hash:
a43cd869a742f670df9ce345eb6de0cf
SHA1 hash:
3f292a28f9c996eb201560d6adcab4c84c3c5dd0
Link:
https://www.unpac.me/results/71fdbc4b-bb40-4a9f-bd9a-0c8aed281154/
SH256 hash:
f739c2324026878adbbe89d3e975383c87f5451223590f85ff17c8bf1989841a
MD5 hash:
715a6a93470136846dca5d9915bb0ae9
SHA1 hash:
38b2c4fa5093dba37ce65a03d35a4a9540e0b9ff
Link:
https://www.unpac.me/results/71fdbc4b-bb40-4a9f-bd9a-0c8aed281154/
SH256 hash:
4dc37311030b8c72b4a981543c2c13d862bc286f3b54761bc67209af9769c7f1
MD5 hash:
302aa99040f8a565504818d439609c78
SHA1 hash:
c250563bb2f6aa364525015e87ce35ffa936d166
Link:
https://www.unpac.me/results/71fdbc4b-bb40-4a9f-bd9a-0c8aed281154/
SH256 hash:
ce2896d96147764e1beac08ab1a838d839d89fdd3ac6dda44a8d828248518e74
MD5 hash:
fb57d955a1ba2372d2d8b3a8c222e591
SHA1 hash:
cb131a7560a070312cd7a25a5a4060cd46785469
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/71fdbc4b-bb40-4a9f-bd9a-0c8aed281154/
SH256 hash:
1900ff6e192b9c247c0ce261b0d99d72bcfd9af9c8a94f2b0e88871a76eb662e
MD5 hash:
c9bfc737cb069c9222294a25160ba101
SHA1 hash:
1f56085421306ccfdcf26604f43662e1aec9cddc
Link:
https://www.unpac.me/results/71fdbc4b-bb40-4a9f-bd9a-0c8aed281154/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1900ff6e192b9c247c0ce261b0d99d72bcfd9af9c8a94f2b0e88871a76eb662e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/203065/

Comments