MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c
SHA3-384 hash: b001fef7bb349da437e79366f99bf0fe028ba1ae43e1d458cea8ebcd0bde3398bb26360278ca7da854fe299065a88cf7
SHA1 hash: 331d9ae7b80822be15a4256363b2e6b53bed518a
MD5 hash: 4c5649e9b9a2d9997ac2600a804e0aeb
humanhash: bulldog-nevada-lima-batman
File name:4c5649e9b9a2d9997ac2600a804e0aeb.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:5'690'838 bytes
First seen:2021-10-12 07:12:36 UTC
Last seen:2022-10-08 11:56:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 98304:MRD7FbH8l1LFjqhSctecEK+uk251fNp/lDWPaN+RCDIx0hzUuC/EnVa:MZlyDjWSc7K2fNbDWSARCDsviE
Threatray 28 similar samples on MalwareBazaar
TLSH T16D4633D1F0A2D0DFE96A8DFADD723621A7B17E64F09D114E76223B484524233261FE1E
File icon (PE):PE icon
dhash icon d4c4c4dcccc4ecf4 (1 x njrat, 1 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RAT RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
185.215.113.105:5655

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4c5649e9b9a2d9997ac2600a804e0aeb.exe
Verdict:
Malicious activity
Analysis date:
2021-10-12 07:26:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/74c027cf-6079-47ac-847d-16cea5c2bb01

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/196786/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.21214.4640.6806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Creating a file
Searching for the window
Deleting a recently created file
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
Running batch commands
Launching a process
Firewall traversal
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed remoteadmin virus
Link:
https://www.filescan.io/uploads/61653584fd35fe780c3a095c/reports/bba05b19-bd4b-4d5a-b5e9-655e156829b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94e85a6f-78d8-4c66-a5ff-e5e8fee3d484
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/868351
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 500784 Sample: r8KfvTtgtr.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 72 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->49 51 Sigma detected: Execution from Suspicious Folder 2->51 7 r8KfvTtgtr.exe 8 29 2->7         started        10 lsalosv.exe 2 2->10         started        process3 dnsIp4 31 C:\Users\Public\Dynamic Library\lsalosv.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\Temp\Log593.xml, XML 7->33 dropped 35 C:\Users\user\AppData\Local\...\registry.dll, PE32 7->35 dropped 37 6 other files (none is malicious) 7->37 dropped 14 lsalosv.exe 2 7->14         started        17 cmd.exe 1 7->17         started        43 192.168.2.1 unknown unknown 10->43 55 Query firmware table information (likely to detect VMs) 10->55 file5 signatures6 process7 signatures8 57 Query firmware table information (likely to detect VMs) 14->57 19 lsalosv.exe 4 4 14->19         started        59 Uses schtasks.exe or at.exe to add and modify task schedules 17->59 23 conhost.exe 17->23         started        25 schtasks.exe 1 17->25         started        27 schtasks.exe 1 17->27         started        29 schtasks.exe 1 17->29         started        process9 dnsIp10 39 185.215.113.105, 49781, 49782, 49830 WHOLESALECONNECTIONSNL Portugal 19->39 41 127.0.0.1 unknown unknown 19->41 53 Query firmware table information (likely to detect VMs) 19->53 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-07 07:16:26 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d63aq7smmzklv5txwyf7n4jlrim6emxf45drhzv6wn3hrrtux4oa._file
Verdict:
malicious
Similar samples:
01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
RemoteManipulator
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
RemoteManipulator
0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25
RemoteManipulator
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
RemoteManipulator
2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c
RemoteManipulator
4f3de0bbd4c3b60cf6e294374bc0a007d31961ea939248ea8ccd275ce8558d3e
RemoteManipulator
689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
RemoteManipulator
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
RemoteManipulator
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
RemoteManipulator
+ 18 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms rat trojan
Link:
https://tria.ge/reports/211012-h147cabfer/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Unpacked files
SH256 hash:
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
MD5 hash:
f27689c513e7d12c7c974d5f8ef710d6
SHA1 hash:
e305f2a2898d765a64c82c449dfb528665b4a892
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218
MD5 hash:
d53c32cedd3d4c37d0a35183ec531ed9
SHA1 hash:
1184372024a780df8234ac67c4a5db4d303adbc5
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
22578f4cc4832136df01dea5762385dfa9334bf2f15903676d4b25b68225390f
MD5 hash:
030c0aec83f542ac840f1b66119850b0
SHA1 hash:
df94d2ad17c3377d5f58548c67f645f2982bc345
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
3c07f6317fdbb73ce2bf3ca4f86d346bfb991102912d8e7d4df0cb9b2cb30a54
MD5 hash:
90709d032dbc411ab4bcc37fc0c1e026
SHA1 hash:
63bb1f19d9078b86c0f8787c788d48ed299aa526
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
97804e4a031d7adf015675fb28a3e860c00e0ce577bf6d18d4fec19e06705df8
MD5 hash:
407562bb77df566de24e24688cb78861
SHA1 hash:
40d03d5fa790ca19ae9f13825ae1b89539434ea2
Detections:
win_danabot_a1
Create hunting rule
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
e7bb06c6ec126d59740bc75ad6fbf44851211a795396647c3366a3df4d4d23df
MD5 hash:
c69b22ffe2bca135bb821dbffcfea2e4
SHA1 hash:
fbab37730ab33f35344601b1a897666e964ea519
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
SH256 hash:
1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c
MD5 hash:
4c5649e9b9a2d9997ac2600a804e0aeb
SHA1 hash:
331d9ae7b80822be15a4256363b2e6b53bed518a
Link:
https://www.unpac.me/results/cd472ae2-65ee-4b2d-942f-22840adb16ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1fb6087e4c6654baf677b60bf6f12b8a19e232e5e74713e6beb37678c674bf1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/url/1669620/
Cape
Cape
https://www.capesandbox.com/analysis/196786/

Comments