MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 11

Intelligence 11 IOCs 1 YARA File information Comments

SHA256 hash:	39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f
SHA3-384 hash:	7059597915d019a770f0895190485626d18152014a6f0eec306d3a7df0950095434f6b54016b7eed7382d066cef76017
SHA1 hash:	61c31464fb8d31f86619fb679361c80851e42eba
MD5 hash:	c13d994d4e79bc6b4c2c6007773ac1e7
humanhash:	lactose-october-friend-table
File name:	39FDEE94A127B3FF44D985DA275C9C843451D86E8B8C4.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	11'477'504 bytes
First seen:	2022-03-09 10:56:36 UTC
Last seen:	2022-03-09 13:07:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep	196608:Up9K/ub4vZCrThyfK/n2wWLUxIB86XlXaGrpZpGpFI66Y78n/mVQ/FUFrGc35el:UG/usZA5nNWLoIB8+pasGpUeVQ/CVL
TLSH	T10FC62302FBE58824D8FB87BE4EBE4B14176EBC98561797CD0390B02D5C76341A8A57CB
File icon (PE):
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator

abuse_ch

RemoteManipulator C2:
194.190.103.33:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.190.103.33:5655	https://threatfox.abuse.ch/ioc/393153/

Intelligence

File Origin

# of uploads :

# of downloads :

239

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RemoteUtilitiesRAT

Link:

https://www.capesandbox.com/analysis/248589/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Packer.Exe-6

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a service

Sending a custom TCP request

Creating a file in the Windows subdirectories

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe greyware packed remote.exe replace.exe

Link:

https://www.filescan.io/uploads/622887ffb94fb38cb446b353/reports/a65f49aa-667c-4beb-b5ff-d92abc93bb87/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d4f5aabd-828a-4a05-be8f-b633aba028bc

Result

Threat name:

RMSRemoteAdmin

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/953217

Signature

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f/

Threat name:

Win32.Trojan.RemoteUtilities

Status:

Malicious

First seen:

2021-10-12 05:11:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

11 of 42 (26.19%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hh665ffbe6z76rgzqxncoxe4qq2fdwdoroge5sriz33c46omjqpq._file

Verdict:

malicious

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/220309-m188hsbbcj/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

RMS

Unpacked files

SH256 hash:

bd99ac97f811a586eedadc482a747021e4f68ab37ce52464f4c59dbad6002a36

MD5 hash:

eb53819353311d6a7c1b2fd4f7016ec8

SHA1 hash:

bd5c17ff7e63cb0fad4bc4b341a82b233c6f930c

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

3e0436bd43e179fc9de5e615fdbf7cc89226d043bb1a3f83a1fbe1bad31c5bdc

MD5 hash:

d444024b642cec1367732b4297ad3189

SHA1 hash:

3abaf16561552f0f0a63beab34eb0a700edad986

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

0fb36a2a660dd899daf6eeb5d46f28d998d0b9afb53ded89f47bc03936e06aff

MD5 hash:

528ec935c96a89aec500bc27c13536c2

SHA1 hash:

9285ce32249377d5f9d8640de364771dd935e344

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

Parent samples :

6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
3237ff81fe1982520a0bb7675a156a419d3271971a024ae43b3e5aabaf10f6ef

SH256 hash:

8c788a09ccce42ef39f707477ec6f38a3f7a3b18c5751b4580ab787766e8baac

MD5 hash:

fe7135eb0e80228905b3c1116923eef7

SHA1 hash:

5aaa7e7f78e91ede83dd075b58b1a01aa98fb21b

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

eea93db30d5eef657bfc54d06a591e6fb919dff67509ce312c69260480c9e567

MD5 hash:

062279d55041106c20b451cccbee6044

SHA1 hash:

bce7fa34ebad6e904634aa1bf984af3e43c083bc

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

aaca742d26de950ddf1b55463bd00c6cc2db65169dd9a87d8f53eca3db2338bc

MD5 hash:

e59ff21fd0ce6887e110b700c7a82d53

SHA1 hash:

2312c07d960b6b347ff9522cbf9240c215fcac26

Detections:

win_rms_a0

win_rms_auto

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

d7e9b8b97cc94cca2d3ae1d0cb7c21f9861130235ce69f482e53700cfc255193

MD5 hash:

52dc7079a0868ffda797a8cbef1acac8

SHA1 hash:

a0456af5d4ec76453e2a1bcb3ffb9d0328cec8bd

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

SH256 hash:

39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f

MD5 hash:

c13d994d4e79bc6b4c2c6007773ac1e7

SHA1 hash:

61c31464fb8d31f86619fb679361c80851e42eba

Link:

https://www.unpac.me/results/e4887ebf-813c-4623-8f14-efd5a51f7b8d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/248589/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample