MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330
SHA3-384 hash: 50f3b8fa13dbeaaf1dc31cb481fbde5d4b0a4c18684454bf8625644e99088a684a76b45f8181707ff78120bdb757b6fd
SHA1 hash: 94412e471583266dd4b89daea0e2ca4238c0ac95
MD5 hash: 82f18d250b9262253e3f358b26d8888b
humanhash: iowa-triple-magnesium-spaghetti
File name:5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:7'084'707 bytes
First seen:2021-07-06 20:21:30 UTC
Last seen:2021-07-06 20:53:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:JJ6WfqG5ful+sSsVcQcs0bEoYTEUtR1Ra:n62qwomYlcsnXfRG
Threatray 23 similar samples on MalwareBazaar
TLSH 4166123FB268753ED4AA0A3245B39310997BBB61A91B8C1E47F0094DDF7A4602F3F615
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
77.223.124.210:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.223.124.210:5655 https://threatfox.abuse.ch/ioc/158063/

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-06 20:22:43 UTC
Tags:
installer rat rms
Link:
https://app.any.run/tasks/9fabb3e5-d240-472c-93ad-a5ed33e4ddde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/170078/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53d61e02-94ca-46fa-9c79-80e415658c54
Result
Threat name:
RMSRemoteAdmin xRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/812571
Signature
Detected xRAT
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444982 Sample: 5903CA7C770EB447D3D83E9DBC2... Startdate: 06/07/2021 Architecture: WINDOWS Score: 80 42 smtp.yandex.ru 2->42 44 id70.internetid.ru 2->44 46 China.hldns.ru 2->46 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Detected xRAT 2->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->64 10 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe 2 2->10         started        signatures3 process4 file5 32 5903CA7C770EB447D3...9B172D74A4E9FB5.tmp, PE32 10->32 dropped 13 5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.tmp 5 22 10->13         started        process6 file7 34 C:\ProgramData\Immunity\is-0BHAE.tmp, PE32 13->34 dropped 36 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 13->36 dropped 38 C:\ProgramData\Immunity\is-RKTJA.tmp, PE32 13->38 dropped 40 2 other files (none is malicious) 13->40 dropped 16 cmd.exe 1 13->16         started        process8 signatures9 54 Very long command line found 16->54 56 Uses cmd line tools excessively to alter registry or file data 16->56 19 rutserv.exe 2 16->19         started        22 taskkill.exe 1 16->22         started        24 taskkill.exe 1 16->24         started        26 102 other processes 16->26 process10 signatures11 66 Query firmware table information (likely to detect VMs) 19->66 28 rutserv.exe 9 13 19->28         started        process12 dnsIp13 48 smtp.yandex.ru 77.88.21.158, 49728, 49758, 587 YANDEXRU Russian Federation 28->48 50 id70.internetid.ru 185.175.44.167, 49729, 49750, 49757 SELECTEL-MSKRU Russian Federation 28->50 52 3 other IPs or domains 28->52 68 Query firmware table information (likely to detect VMs) 28->68 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-01 02:19:57 UTC
AV detection:
8 of 29 (27.59%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=leb4u7dxb22epu6yh2o3ykcgtmls25fe5h5vklnwyqo3r2lnwmya._file
Verdict:
malicious
Similar samples:
01469064718c89b6853365f1c7008c72ccd6a1ecb88a52cfcf82880e39dd0358
RemoteManipulator
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
RemoteManipulator
0cd1346813ea66e5ecb353180f0f01d9b2e53b230ccb5aece10e4366d632df25
RemoteManipulator
1be887ab809f4d5f443d78ee02427954aaf63365be283fec335902ac48ba4445
RemoteManipulator
2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c
RemoteManipulator
4f3de0bbd4c3b60cf6e294374bc0a007d31961ea939248ea8ccd275ce8558d3e
RemoteManipulator
689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1
RemoteManipulator
c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56
RemoteManipulator
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
RemoteManipulator
f1849f447bfa07c3a9a9db11501a026d133541d0264424198f297f5ec70e1ff3
RemoteManipulator
+ 13 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms persistence rat trojan
Link:
https://tria.ge/reports/210706-fxfwqv56ee/
Behaviour
Delays execution with timeout.exe
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
4079f880b226762833bd3ec2726511c1418bff4c0b8bd7f14f2ec03ce9482f54
MD5 hash:
04362ce81ce3a86f18b3d1c8b7588deb
SHA1 hash:
b13c1c60065419575c9a8d85d354e2e63c569914
Link:
https://www.unpac.me/results/2894f9fa-cd4e-4f97-a5a2-872659e9109a/
SH256 hash:
946684187718ae639831d8c400c2f2204cdd90e9d09245350b9e54b3eaf57047
MD5 hash:
93cb8e51bd086b65453dc29f27caf4f3
SHA1 hash:
b3fb527425b74d465a122d5d651fa61a6883ef07
Link:
https://www.unpac.me/results/2894f9fa-cd4e-4f97-a5a2-872659e9109a/
SH256 hash:
3d41fbe8473d642fd5c851cde2f321e404b280be6d09f9a115cfab7b14ecc236
MD5 hash:
aad309766de5e099eb11ba8c31f797e9
SHA1 hash:
380b5289c7e51f72c47c4ab0d1ad2129225aa055
Link:
https://www.unpac.me/results/2894f9fa-cd4e-4f97-a5a2-872659e9109a/
SH256 hash:
ab49497bb78494e50567c61c40137fae11ff060ada1aa762fb2ed75a80ce368f
MD5 hash:
c6ab47288126d0c16694bd447055d49d
SHA1 hash:
85667c2df12a00beb08f586b35a2f5f2d781c59b
Detections:
win_danabot_a1
Create hunting rule
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/2894f9fa-cd4e-4f97-a5a2-872659e9109a/
SH256 hash:
5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330
MD5 hash:
82f18d250b9262253e3f358b26d8888b
SHA1 hash:
94412e471583266dd4b89daea0e2ca4238c0ac95
Link:
https://www.unpac.me/results/2894f9fa-cd4e-4f97-a5a2-872659e9109a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5903ca7c770eb447d3d83e9dbc28469b172d74a4e9fb552db6c41db8e96db330

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170078/

Comments