MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
SHA3-384 hash: 372477f16846d8949dd5c7e620556a1bf41cdb88aabbdcab0312653bc513b06d8d00b3f7c4c7510a4b7ac1e1778e8111
SHA1 hash: 77ca0c3b15f33f96169af1db5b6325ef84a44898
MD5 hash: 81f327ba23b03e261a0bcb3b4be3ffb4
humanhash: missouri-idaho-lactose-lemon
File name:Build.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'563'924 bytes
First seen:2020-11-12 15:00:36 UTC
Last seen:2024-07-24 15:30:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 98304:yMMMMMMSLLLLLLLPwt775WLYyN0YAyb9en/XI/dFpZkwBjwzX8dBziW0:3wt/K0Znvk0OjemO
Threatray 8 similar samples on MalwareBazaar
TLSH C02612C3F760051AF9AF47B292F35E1C992AEEFC9B65230A0CE033167563857196B487
Reporter James_inthe_box
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a window
Launching a service
DNS request
Sending a custom TCP request
Creating a file
Delayed writing of the file
Running batch commands
Creating a process with a hidden window
Launching a process
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/532937
Signature
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315570 Sample: Build.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 56 43 Multi AV Scanner detection for submitted file 2->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 2->47 7 Build.exe 6 21 2->7         started        10 rutserv.exe 2 2->10         started        12 rutserv.exe 2 2->12         started        process3 file4 29 C:\Program Files (x86)\Atomic\rutserv.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\LogFile.xml, XML 7->31 dropped 33 C:\Users\user\AppData\...\nsisFirewall.dll, PE32 7->33 dropped 35 4 other files (none is malicious) 7->35 dropped 14 cmd.exe 1 7->14         started        16 rutserv.exe 2 7->16         started        process5 process6 18 conhost.exe 14->18         started        20 schtasks.exe 1 14->20         started        22 schtasks.exe 1 14->22         started        24 schtasks.exe 1 14->24         started        26 rutserv.exe 4 2 16->26         started        dnsIp7 37 id.remoteutilities.com 108.163.130.184, 49720, 5655 IWEB-ASCA Canada 26->37 39 66.240.205.51, 49726, 5655 CARINETUS United States 26->39 41 192.168.2.1 unknown unknown 26->41
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad/
Threat name:
Win32.Hacktool.AutoKMS
Create hunting rule
Status:
Malicious
First seen:
2020-11-03 14:17:50 UTC
File Type:
PE (Exe)
Extracted files:
198
AV detection:
16 of 29 (55.17%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsff6q7aoa2navc4mdatp6lmnk4nurgp2wnimvejnshwysl256wq._file
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
RemoteManipulator
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
c72abb73f39b466cd8b230c1fd9d6c1bf46573db11038eaa407d47976eb317eb
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201112-aqmsxbwq26/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Drops file in Program Files directory
Adds Run key to start application
JavaScript code in executable
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
MD5 hash:
81f327ba23b03e261a0bcb3b4be3ffb4
SHA1 hash:
77ca0c3b15f33f96169af1db5b6325ef84a44898
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
ea8b94e4caacd9881f5fdd77b1d9682227aabcae6e844a50cc09629f146b5f22
MD5 hash:
7546c1ada44e5791e00187a2a923f548
SHA1 hash:
9cae869e7676b9be747536dbee4eb6cc068dda79
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
89f26b20e4ff940d9fb76a99128178b22e69d84550a163b0d27804c790c77efe
MD5 hash:
fa6354a3f0dfe601610a06be6b64c051
SHA1 hash:
166312cfc636da57e220f4c6f70f5224ac30b1a6
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
2e204ee4f1d12b4ca35c8205cea0cabe354f2e79a471863cfb76a7cee83cf107
MD5 hash:
69f2e8c6fd141e9e720b2c4c366a8154
SHA1 hash:
a6279d93a102b6d7608dced32a36ddcd3e51994c
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
0fb36a2a660dd899daf6eeb5d46f28d998d0b9afb53ded89f47bc03936e06aff
MD5 hash:
528ec935c96a89aec500bc27c13536c2
SHA1 hash:
9285ce32249377d5f9d8640de364771dd935e344
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
Parent samples :
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
3237ff81fe1982520a0bb7675a156a419d3271971a024ae43b3e5aabaf10f6ef
SH256 hash:
8c788a09ccce42ef39f707477ec6f38a3f7a3b18c5751b4580ab787766e8baac
MD5 hash:
fe7135eb0e80228905b3c1116923eef7
SHA1 hash:
5aaa7e7f78e91ede83dd075b58b1a01aa98fb21b
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
SH256 hash:
d6ce372acacf988f845b1bd35a876a1c1da19316efca4c6990e0f9ac6f0853e4
MD5 hash:
9b54944ce476591d65288b0701a52c46
SHA1 hash:
df1754c7714cbc7a40a281318b726629c348ee23
Link:
https://www.unpac.me/results/cde6fbeb-61e1-49ec-9261-5645a9aea571/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/810254/

Comments