MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4709b7715f29a8e67f4de4114391fd440a7038bc2aeac2f15741d7eecf1a749c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4709b7715f29a8e67f4de4114391fd440a7038bc2aeac2f15741d7eecf1a749c
SHA3-384 hash: acf099b256826a1fff9876b258a6cc4cc33cc07bb46ffc6339f4b50b25342cf733a3c6b53d5804ae21166c44d8e23bbd
SHA1 hash: 6dfba72690d9da80ea1d583ab6d8deeed2aef1ce
MD5 hash: 3c812375bd2333ff940800eb818c00b4
humanhash: pizza-paris-august-batman
File name:4709B7715F29A8E67F4DE4114391FD440A7038BC2AEAC.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:11'147'691 bytes
First seen:2021-11-22 21:17:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep 196608:hKg2rhafR+xbIJnxzagrjtN4HkQmK79SJ4V3x83Ha6wzg63+0nQmWBENoxXo0Q:b0MfR+pIJxNf4HrkL6D3RQmWBENAXon
Threatray 459 similar samples on MalwareBazaar
TLSH T181B63379D5909A3BE2512C7F5B83D2B2E136F604195420EE63DE9938790731E0BB23BD
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
95.213.205.83:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
95.213.205.83:5655 https://threatfox.abuse.ch/ioc/253280/

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4709B7715F29A8E67F4DE4114391FD440A7038BC2AEAC.exe
Verdict:
No threats detected
Analysis date:
2021-11-22 21:33:07 UTC
Tags:
installer
Link:
https://app.any.run/tasks/cf0e9dd3-412e-4d31-bfc6-768aba3a5c5a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Windows subdirectories
Modifying a system file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for the window
Searching for synchronization primitives
Launching the process to change the firewall settings
Sending an HTTP GET request
Creating a file
Launching a service
Creating a process from a recently created file
DNS request
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint greyware overlay packed stealer
Link:
https://www.filescan.io/uploads/619c08d494a88037d2ff1e35/reports/da5788d5-cf80-40a0-9731-bf7d69ca9fe2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Devil Shadow
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0571585-d2d4-486f-86ed-f771671b602e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/894198
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526673 Sample: 4709B7715F29A8E67F4DE411439... Startdate: 22/11/2021 Architecture: WINDOWS Score: 88 92 Multi AV Scanner detection for dropped file 2->92 94 Multi AV Scanner detection for submitted file 2->94 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->96 9 4709B7715F29A8E67F4DE4114391FD440A7038BC2AEAC.exe 16 13 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 8 other processes 2->18 process3 dnsIp4 74 C:\Windows\SysWOW64\drivers\svch st.exe, PE32 9->74 dropped 76 C:\Windows\SysWOW64\drivers\install.exe, PE32 9->76 dropped 78 C:\Windows\SysWOW64\drivers\ssleay32.dll, PE32 9->78 dropped 80 C:\Windows\SysWOW64\drivers\libeay32.dll, PE32 9->80 dropped 106 Modifies the windows firewall 9->106 20 cmd.exe 2 9->20         started        23 cmd.exe 1 9->23         started        25 cmd.exe 3 2 9->25         started        108 Changes security center settings (notifications, updates, antivirus, firewall) 13->108 84 127.0.0.1 unknown unknown 15->84 86 192.168.2.1 unknown unknown 15->86 27 msiexec.exe 18->27         started        file5 signatures6 process7 signatures8 98 Very long command line found 20->98 100 Uses cmd line tools excessively to alter registry or file data 20->100 102 Drops executables to the windows directory (C:\Windows) and starts them 20->102 104 2 other signatures 20->104 29 install.exe 14 3 20->29         started        32 taskkill.exe 1 20->32         started        34 taskkill.exe 1 20->34         started        47 9 other processes 20->47 36 conhost.exe 23->36         started        38 reg.exe 1 23->38         started        40 reg.exe 1 23->40         started        42 msiexec.exe 6 25->42         started        45 conhost.exe 25->45         started        process9 file10 110 Multi AV Scanner detection for dropped file 29->110 112 Very long command line found 29->112 49 cmd.exe 1 29->49         started        52 cmd.exe 1 29->52         started        54 cmd.exe 1 29->54         started        56 cmd.exe 1 29->56         started        82 C:\Users\user\AppData\Local\...\MSIF459.tmp, PE32+ 42->82 dropped signatures11 process12 signatures13 88 Very long command line found 49->88 90 Uses cmd line tools excessively to alter registry or file data 49->90 58 conhost.exe 49->58         started        60 reg.exe 1 1 49->60         started        62 conhost.exe 52->62         started        64 reg.exe 1 1 52->64         started        66 conhost.exe 54->66         started        68 reg.exe 1 1 54->68         started        70 conhost.exe 56->70         started        72 reg.exe 1 56->72         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4709b7715f29a8e67f4de4114391fd440a7038bc2aeac2f15741d7eecf1a749c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-09-10 03:47:38 UTC
File Type:
PE (Exe)
AV detection:
18 of 45 (40.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4e3o4k7fguom72n4qiuhep5iqfhaof4flvmf4kxihl65ty2osoa._file
Verdict:
malicious
Similar samples:
075ec6ffbc5779e54c73a41b478b0bd6534f6cd5db435b8226d76c50012b267f
RemoteManipulator
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
38602e2e2f729e174440339fd1551e133ae03d93e16bbcef8f0b9c8aa1da9b1c
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
+ 449 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery evasion rat trojan
Link:
https://tria.ge/reports/211122-z5lz1aghbk/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
RMS
Unpacked files
SH256 hash:
8ff41dc9fa24aa17700262357b8ff4ac230aa17b326fccee04c48ecfa6f0dce4
MD5 hash:
c6ee82a58dfed9a0be5166573c50900a
SHA1 hash:
c5b340f5658fe785156fea472d97e05f4a7a7407
Link:
https://www.unpac.me/results/9b535968-8347-40a9-9941-efc47c62eca9/
SH256 hash:
b6d549c3b7fb3c126ce0dc60a340f60600ae04d923000be34109c33bbac93bdf
MD5 hash:
73854f545ea0767075abec7b24689a49
SHA1 hash:
d10cb2e7a3c539d6d85de60ef8704518219b3467
Link:
https://www.unpac.me/results/9b535968-8347-40a9-9941-efc47c62eca9/
SH256 hash:
d18b2929d26f369635a4da8056e74f3cb1cc1b1d8f92c27efe31bbb57af5ad35
MD5 hash:
08921639152633b874b2e99011ca480a
SHA1 hash:
b2b3706dc3ed2bf85346247c614cead8a93f6069
Detections:
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/9b535968-8347-40a9-9941-efc47c62eca9/
SH256 hash:
4709b7715f29a8e67f4de4114391fd440a7038bc2aeac2f15741d7eecf1a749c
MD5 hash:
3c812375bd2333ff940800eb818c00b4
SHA1 hash:
6dfba72690d9da80ea1d583ab6d8deeed2aef1ce
Link:
https://www.unpac.me/results/9b535968-8347-40a9-9941-efc47c62eca9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4709b7715f29a8e67f4de4114391fd440a7038bc2aeac2f15741d7eecf1a749c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/208442/

Comments