MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
SHA3-384 hash: b5d29a4bfd026e9bfd04ebb0b80b4fc663d9a5cfe82cad7886bb37262c514b637d3cd18a61e8eb1654cde2922fe67c28
SHA1 hash: ef9627c0cadff85a3dfaab6aef0b7c885f03b186
MD5 hash: aff57ee1a4f3731c2036046910f78fb4
humanhash: social-delta-pluto-lake
File name:aff57ee1a4f3731c2036046910f78fb4.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:407'040 bytes
First seen:2021-12-28 00:56:20 UTC
Last seen:2021-12-28 04:39:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:TqJ+cjfxGqz7J1vZ9rDnmQ67mlj6PUGyuM:TqUcj5fjaF74QWuM
TLSH T100845C2B32964F68CB2A1373658E64504BA17F9F6043C6CE76C93EB6DDA1322C517F12
File icon (PE):PE icon
dhash icon c0d8d8d8d8c8f4fc (1 x RemoteManipulator, 1 x CoinMiner.XMRig, 1 x CoinMiner)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
77.247.243.43:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.247.243.43:5655 https://threatfox.abuse.ch/ioc/288174/

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aff57ee1a4f3731c2036046910f78fb4.exe
Verdict:
No threats detected
Analysis date:
2021-12-28 01:00:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f358ce7d-0adb-4f2e-8111-1590d2015dba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216615/
Detection(s):
SecuriteInfo.com.FileRepMalware.18689.5367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61ca60e2ec6c6c14a9f7df7e/reports/2ae062b3-1080-44da-bb83-6fa70d228a25/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f757fb9-6458-416e-b5aa-0f5c964f29ae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913316
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an undocumented autostart registry key
Hides user accounts
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Uses netsh to modify the Windows network and firewall settings
Uses netstat to query active network connections and open ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545793 Sample: N7M5uJV88n.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 100 43 msupdate.info 2->43 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 3 other signatures 2->59 8 N7M5uJV88n.exe 23 18 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 4 2->15         started        17 10 other processes 2->17 signatures3 process4 dnsIp5 47 msupdate.info 5.133.65.53, 443, 49749, 49787 BALTNETACustomersASLT Lithuania 8->47 49 77.247.243.43, 49802, 49810, 5655 MSTN-ASRU Russian Federation 8->49 51 2 other IPs or domains 8->51 39 C:\Users\user\Desktop\temp\$77_loader.exe, PE32+ 8->39 dropped 41 C:\Users\user\Desktop\RMS.exe, PE32 8->41 dropped 61 Creates an undocumented autostart registry key 8->61 63 Hides user accounts 8->63 65 Uses netstat to query active network connections and open ports 8->65 69 2 other signatures 8->69 19 csc.exe 4 8->19         started        22 NETSTAT.EXE 1 1 8->22         started        25 netsh.exe 3 8->25         started        29 9 other processes 8->29 67 Changes security center settings (notifications, updates, antivirus, firewall) 13->67 27 MpCmdRun.exe 13->27         started        file6 signatures7 process8 dnsIp9 37 C:\Users\user\AppData\Local\...\nwjir9wi.dll, PE32 19->37 dropped 31 conhost.exe 19->31         started        33 cvtres.exe 1 19->33         started        45 192.168.2.1 unknown unknown 22->45 35 conhost.exe 27->35         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4/
Threat name:
ByteCode-MSIL.Trojan.APost
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 20:47:37 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
40
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hatjkppnowbwd6lyhvtsilslvbyjfvrx24v47aogjhssmzofpxsa._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery evasion persistence rat trojan
Link:
https://tria.ge/reports/211228-bay43sdcf7/
Behaviour
Gathers network information
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Enumerates connected drives
Modifies WinLogon
Modifies powershell logging option
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Sets file execution options in registry
RMS
Unpacked files
SH256 hash:
3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4
MD5 hash:
aff57ee1a4f3731c2036046910f78fb4
SHA1 hash:
ef9627c0cadff85a3dfaab6aef0b7c885f03b186
Link:
https://www.unpac.me/results/4a94da27-c5df-4665-97a0-1aa18f2c343d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 3826953ded758361f9783d67242e4ba87092d637d72bcf81c649e52665c57de4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1925806/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/216615/

Comments