MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9
SHA3-384 hash: 0f90bcfbb8801c995c91da30518bc8fafbf66ca0bb680070a14af90fd7fe927f1a290a79252efa52302eb80900c9e0eb
SHA1 hash: 389d92e33070ac4216ac0bc491b41170d320ca5d
MD5 hash: a66c62622e2002140b15b4add14da7d3
humanhash: failed-diet-potato-oranges
File name:722C230238D0F92F038ABCD5C63F1C36664241DF74C20.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:18'472'432 bytes
First seen:2021-10-17 07:10:33 UTC
Last seen:2021-10-17 08:18:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep 393216:GoNlDhipGYtZVMBpX/iYvHCHdn18Zo/PHRa6CH:5Dh9AMXPDGGo/5aPH
Threatray 56 similar samples on MalwareBazaar
TLSH T1A11733C2EBF0094AF9BB063296FA0F0C5B6AFDA86B79530D05D1B2153563D5308A67C7
File icon (PE):PE icon
dhash icon c0dacabacac0c244 (20 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
50.240.232.117:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
50.240.232.117:5655 https://threatfox.abuse.ch/ioc/234887/

Intelligence

File Origin
# of uploads :
2
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
722C230238D0F92F038ABCD5C63F1C36664241DF74C20.exe
Verdict:
No threats detected
Analysis date:
2021-10-17 07:14:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/731306db-6fba-426c-bd45-73b2dc1f2b82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Tool.RemoteUtilities-9869515-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Creating a file in the Program Files subdirectories
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a service
Deleting a recently created file
Launching a service
Connection attempt
Sending a custom TCP request
Enabling autorun for a service
Firewall traversal
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/616bcc8fdb358dd15ebd8980/reports/fde71558-f241-4c4c-9f1f-0ccd713c2f95/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin Remote Utilities
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/871724
Signature
Contains functionality to detect sleep reduction / modifications
Detected Remote Utilities RAT
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504152 Sample: 722C230238D0F92F038ABCD5C63... Startdate: 17/10/2021 Architecture: WINDOWS Score: 51 43 Multi AV Scanner detection for submitted file 2->43 45 Detected Remote Utilities RAT 2->45 47 Tries to steal Mail credentials (via file registry) 2->47 49 2 other signatures 2->49 7 msiexec.exe 110 126 2->7         started        11 722C230238D0F92F038ABCD5C63F1C36664241DF74C20.exe 5 2->11         started        13 svchost.exe 1 1 2->13         started        16 4 other processes 2->16 process3 dnsIp4 31 C:\Program Files (x86)\...\rutserv.exe, PE32 7->31 dropped 33 C:\Program Files (x86)\...\rfusclient.exe, PE32 7->33 dropped 35 C:\Program Files (x86)\...\drvinstaller64.exe, PE32+ 7->35 dropped 39 46 other files (none is malicious) 7->39 dropped 53 Detected Remote Utilities RAT 7->53 18 rutserv.exe 3 7->18         started        21 rutserv.exe 2 7->21         started        23 rfusclient.exe 3 7->23         started        25 msiexec.exe 7->25         started        37 C:\Users\user\AppData\Local\Temp\...\host.msi, Composite 11->37 dropped 27 msiexec.exe 11->27         started        41 127.0.0.1 unknown unknown 13->41 file5 signatures6 process7 signatures8 51 Detected Remote Utilities RAT 18->51 29 drvinstaller64.exe 1 18->29         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9/
Threat name:
Win32.Trojan.RemoteUtilities
Create hunting rule
Status:
Malicious
First seen:
2019-08-22 21:21:24 UTC
AV detection:
4 of 27 (14.81%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oiwcgary2d4s6a4kxtk4mpy4gzteeqo7otba5maizg7up7fqdleq._file
Verdict:
malicious
Similar samples:
19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a
RemoteManipulator
1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6
RemoteManipulator
43f99c7803096733f587609de930cc8f7f7efa089df450adca6d07d9e4d7eaf5
RemoteManipulator
49fbf9884299fbc6b09e640449fdc834f82a752908d381a68e2057a9861e3618
RemoteManipulator
6984fbcdc07aa5d975b4f6742888e3185d6091440b0b76bce13ca81d2a7f931e
RemoteManipulator
6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6
RemoteManipulator
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
RemoteManipulator
cbe3b86357b4f4d072ae00d8373f2e553e5cc43008e1be2ade4fe463f956df35
RemoteManipulator
e5f575d9223be5a7a825f598e21b5ec4475ea6a9d58ad0e87932a57768908027
RemoteManipulator
+ 46 additional samples on MalwareBazaar
Result
Malware family:
rurat
Create hunting rule
Score:
  10/10
Tags:
family:rurat backdoor discovery persistence trojan upx
Link:
https://tria.ge/reports/211017-hzyceacdg7/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
Registers new Print Monitor
Registers COM server for autorun
RuRAT
Unpacked files
SH256 hash:
66760a4c41a342b16e71e0e45b2b6d459792a67fc0c8cd97f381ab74d0b9f631
MD5 hash:
c63d821ed8438e22b4a9d5adb6da161d
SHA1 hash:
b6b3db8031664aba83376db541b912e8b300e829
Link:
https://www.unpac.me/results/b0f016a3-54c5-471b-9ac5-6160de64a5d7/
SH256 hash:
722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9
MD5 hash:
a66c62622e2002140b15b4add14da7d3
SHA1 hash:
389d92e33070ac4216ac0bc491b41170d320ca5d
Link:
https://www.unpac.me/results/b0f016a3-54c5-471b-9ac5-6160de64a5d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments