MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
SHA3-384 hash: ad1a6886be5e2b173cfc894fa606780bc155a6aac71afe1d5567ebdb24b7f423c378eecd9067e8037ada2ae581681362
SHA1 hash: c5677e34753294789f75d036cfb677b44e1aa426
MD5 hash: fec6019b90092723b543219410ce71b4
humanhash: may-angel-mango-magazine
File name:SecuriteInfo.com.PUA.Tool.RemoteControl.20.4973.23208
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:11'390'464 bytes
First seen:2024-10-20 14:30:20 UTC
Last seen:2024-10-20 14:30:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep 196608:np9T+NrpQJrG8M3+OvIKeFUOkpfG+n4qsYdz+FsCTk6x4acytLmfzB:n6rpQJK8M3+4teCOkpe3YhG7LmfzB
Threatray 17 similar samples on MalwareBazaar
TLSH T1BBB63353E7D64814D8FE4BBE4DBE8B101B6ABCD85A1267CD0354B2299C7778098B13CB
TrID 68.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.3% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.1% (.EXE) OS/2 Executable (generic) (2029/13)
5.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon c4dacabacac0c244 (47 x RemoteManipulator)
Reporter SecuriteInfoCom
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
2
# of downloads :
396
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.PUA.Tool.RemoteControl.20.4973.23208
Verdict:
Malicious activity
Analysis date:
2024-10-20 14:32:26 UTC
Tags:
rat rms smtp
Link:
https://app.any.run/tasks/e76a182b-650a-4ba2-a383-f4b56c3e5476

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Tool.RemoteControl.20.23424.10675.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=671514329e67c24682027894
Tags:
Delphi Spam
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a service
DNS request
Connection attempt
Creating a file in the Windows subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint hook keylogger lolbin lolbin obfuscated overlay packed packed packed packer_detected rat remote remotecontrol rijndael shell32 upx
Link:
https://www.filescan.io/uploads/67151429cb929da7ec4dedd9/reports/62c4dbb4-1494-4c66-b2de-8ba5126048fc/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51d8954e-3dfd-4492-ae3d-8e35f25e19b5
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1538148
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538148 Sample: SecuriteInfo.com.PUA.Tool.R... Startdate: 20/10/2024 Architecture: WINDOWS Score: 72 32 smtp-5.1gb.ua 2->32 34 fp3011.wpc.phicdn.net 2->34 36 3 other IPs or domains 2->36 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Machine Learning detection for sample 2->50 10 SecuriteInfo.com.PUA.Tool.RemoteControl.20.4973.23208.exe 17 2->10         started        signatures3 process4 file5 24 C:\Users\user\...\webmvorbisencoder.dll, PE32 10->24 dropped 26 C:\Users\user\...\webmvorbisdecoder.dll, PE32 10->26 dropped 28 C:\Users\user\AppData\Roaming\...\webmmux.dll, PE32 10->28 dropped 30 6 other files (5 malicious) 10->30 dropped 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->52 14 rfusclient.exe 1 10->14         started        signatures6 process7 process8 16 rutserv.exe 2 14->16         started        signatures9 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->42 19 rutserv.exe 7 12 16->19         started        process10 dnsIp11 38 smtp-5.1gb.ua 195.234.4.5, 465, 49736 ONEGB-ASUA Ukraine 19->38 40 89.184.66.94, 49737, 49742, 49743 MIROHOSTWebhostingdatacenteranddomainnamesregistrati Ukraine 19->40 22 rfusclient.exe 19->22         started        process12
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-14 18:02:57 UTC
File Type:
PE (Exe)
Extracted files:
73
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n63m766j2n3anxxgeqaihmxt3mlupkaz52cnfwz5dyv4le36spga._file
Verdict:
malicious
Label(s):
rms
Create hunting rule
Similar samples:
075ec6ffbc5779e54c73a41b478b0bd6534f6cd5db435b8226d76c50012b267f
RemoteManipulator
18990cfc38044e3be0d954ebfca6cd08404a67841f48a9540ea5397e7b83fb00
RemoteManipulator
39fdee94a127b3ff44d985da275c9c843451d86e8b8c4eca28cef62e79cc4c1f
RemoteManipulator
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
RemoteManipulator
ab331fd318fdc268d79d9bd4a4e01a02292041b70403da4f36fe8f310122cc72
RemoteManipulator
b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf
RemoteManipulator
error
RemoteManipulator
+ 7 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery rat trojan upx
Link:
https://tria.ge/reports/241020-rvpzxashqh/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in System32 directory
UPX packed file
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
RMS
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d553f8d2-ebcc-45bb-90de-e4a182416cae
Unpacked files
SH256 hash:
bd99ac97f811a586eedadc482a747021e4f68ab37ce52464f4c59dbad6002a36
MD5 hash:
eb53819353311d6a7c1b2fd4f7016ec8
SHA1 hash:
bd5c17ff7e63cb0fad4bc4b341a82b233c6f930c
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
SH256 hash:
3e0436bd43e179fc9de5e615fdbf7cc89226d043bb1a3f83a1fbe1bad31c5bdc
MD5 hash:
d444024b642cec1367732b4297ad3189
SHA1 hash:
3abaf16561552f0f0a63beab34eb0a700edad986
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
SH256 hash:
0fb36a2a660dd899daf6eeb5d46f28d998d0b9afb53ded89f47bc03936e06aff
MD5 hash:
528ec935c96a89aec500bc27c13536c2
SHA1 hash:
9285ce32249377d5f9d8640de364771dd935e344
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
Parent samples :
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
3237ff81fe1982520a0bb7675a156a419d3271971a024ae43b3e5aabaf10f6ef
SH256 hash:
8c788a09ccce42ef39f707477ec6f38a3f7a3b18c5751b4580ab787766e8baac
MD5 hash:
fe7135eb0e80228905b3c1116923eef7
SHA1 hash:
5aaa7e7f78e91ede83dd075b58b1a01aa98fb21b
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
SH256 hash:
22a06ec8cb31d654313f3e61858005217884608a552a9e42f3115d4151061a6e
MD5 hash:
307fc7123a625115c06d9a33f83418c4
SHA1 hash:
6230d1ea47ddbab3fe4c2d6a766841f210b7aa24
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
SH256 hash:
524a74666a7638a049e98ab1b96f3dd1d6637adfa74aec453890c1fe6f13201d
MD5 hash:
f9f8a83364166037b5b86cfd00767dd6
SHA1 hash:
699b2878355b88eaea208e9ab3d581fb51448277
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
Parent samples :
d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
SH256 hash:
1dc399459e8ffc84fac57ec1348cb27d0b49df15da69c6d5b73bc39d63adb1c9
MD5 hash:
519843aac833d61372e1887a4d66abb6
SHA1 hash:
f86c43a95c1d38e081b7e8ef4b956c243cf12858
Detections:
win_rms_a0
Create hunting rule
MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
SH256 hash:
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
MD5 hash:
fec6019b90092723b543219410ce71b4
SHA1 hash:
c5677e34753294789f75d036cfb677b44e1aa426
Link:
https://www.unpac.me/results/586306e8-3fee-4b10-a25b-0bd7b91b458f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3245556/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteW
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegLoadKeyW

Comments