MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca
SHA3-384 hash: 65bcd64c79f5d4e9e9bb482d99a7e85e62c4b56fb55b3c6881974a5ae38b73aae1c7700b6529e12de1fa5501725c8e0b
SHA1 hash: f34cd8f6651e0dd86520ed201ead868845ccacac
MD5 hash: 9e16fcfac9664e37c9aa921d3ab8c891
humanhash: beryllium-ceiling-freddie-fillet
File name:9e16fcfac9664e37c9aa921d3ab8c891.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:2'561'174 bytes
First seen:2021-02-26 14:41:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a1496c94d52a035fe47259ee6587b7 (5 x RemoteManipulator, 2 x CoinMiner, 1 x WSHRAT)
ssdeep 49152:YUclPhp9vH1VXNVZutJ6Rsflhn+MQ9UQ3Gi7wtIEzzsbiaaXjTfc:W1Z/Zu6rMiUQT7o/zWil0
Threatray 12 similar samples on MalwareBazaar
TLSH 41C502DA637884E6D466433895134E07E661BC0D167CF34F2F53EA5B2E33274B8297A2
Reporter abuse_ch
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9e16fcfac9664e37c9aa921d3ab8c891.exe
Verdict:
No threats detected
Analysis date:
2021-02-26 14:47:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/581ddd3b-8795-4f63-a5e5-75422438e18c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119430/
Detection(s):
SecuriteInfo.com.PowerShell.Siggen.1892.18387.2827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Sending a UDP request
Deleting a recently created file
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Launching a service
Loading a system driver
Enabling autorun for a service
Downloading the file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/619790
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in alternative data streams (ADS)
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358890 Sample: FTfOF1ChXK.exe Startdate: 26/02/2021 Architecture: WINDOWS Score: 92 67 Antivirus detection for dropped file 2->67 69 Sigma detected: Dot net compiler compiles file from suspicious location 2->69 71 Bypasses PowerShell execution policy 2->71 73 Adds a new user with administrator rights 2->73 10 FTfOF1ChXK.exe 11 2->10         started        process3 file4 59 C:\Users\user\AppData\...\Readme.txt:meta, Microsoft 10->59 dropped 61 C:\Users\user\AppData\Local\...\Readme.txt, ASCII 10->61 dropped 83 Creates files in alternative data streams (ADS) 10->83 14 cmd.exe 1 10->14         started        signatures5 process6 process7 16 wscript.exe 1 14->16         started        19 cmd.exe 1 14->19         started        21 conhost.exe 1 14->21         started        23 more.com 1 14->23         started        signatures8 63 Wscript starts Powershell (via cmd or directly) 16->63 65 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 16->65 25 powershell.exe 53 16->25         started        29 extrac32.exe 10 19->29         started        process9 file10 51 C:\Windows\Branding\mediasvc.png, PE32+ 25->51 dropped 53 C:\Windows\Branding\mediasrv.png, PE32+ 25->53 dropped 55 C:\Users\user\AppData\...\f2itk5zp.cmdline, UTF-8 25->55 dropped 75 Uses cmd line tools excessively to alter registry or file data 25->75 77 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 25->77 79 Adds a new user with administrator rights 25->79 81 Powershell drops PE file 25->81 31 reg.exe 25->31         started        34 csc.exe 25->34         started        37 powershell.exe 25->37         started        39 6 other processes 25->39 57 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 29->57 dropped signatures11 process12 file13 85 Creates a Windows Service pointing to an executable in C:\Windows 31->85 49 C:\Users\user\AppData\Local\...\f2itk5zp.dll, PE32 34->49 dropped 41 cvtres.exe 34->41         started        43 conhost.exe 37->43         started        45 conhost.exe 39->45         started        47 conhost.exe 39->47         started        signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca/
Threat name:
Win64.Trojan.Genta
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 14:42:07 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=end4ydnrpe3u7aeeaa3iwctg6hav4avnfdjlspgme3k2v64xo7fa._file
Verdict:
malicious
Similar samples:
10892007582c3c09a01a4de7ac9e2ca434704396e5cc899f26c9f83a626da2b5
RemoteManipulator
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
RemoteManipulator
261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700
RemoteManipulator
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
RemoteManipulator
32031ca4487b08af41a597da7d22c05a3d4f676c33119c057f3f4a1431217887
RemoteManipulator
44c7ef261a066790a4ce332afc634fb5f89f3273c0c908ec02ab666088b27757
RemoteManipulator
8345bf3e9dae0a447bc1c65c99fa0e102e7f0f3fd77f137cc5c876ceb2a647b7
RemoteManipulator
c2d9409c2209201334bd83a2e1257be8adc7506019a721abe359249dbd74eced
RemoteManipulator
d06d7b5c4613a3d9fa020854878558325da6fd932f74b8268360d4838286d43c
RemoteManipulator
d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52
RemoteManipulator
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210226-2ry78fgbqe/
Behaviour
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca
MD5 hash:
9e16fcfac9664e37c9aa921d3ab8c891
SHA1 hash:
f34cd8f6651e0dd86520ed201ead868845ccacac
Link:
https://www.unpac.me/results/1d017cab-bd65-4d9b-9f95-94163d305771/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 2347cc0db179374f808400368b0a66f1c15e02ad28d2b93ccc26d5aafb9777ca

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/119430/
  
URLhaus
https://urlhaus.abuse.ch/url/1000963/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/975095/

Comments