MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77adc6a164ad03708451235e3e9ad9ba57f8d8815fee3ff0164f1c0d72cef0ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77adc6a164ad03708451235e3e9ad9ba57f8d8815fee3ff0164f1c0d72cef0ef
SHA3-384 hash: 2cf4e42d5f167656ccfe1ae69086822929e9416a7030b9ba9e969a88de06f8d65d5202b2d93fc2d762fc4ef985eea386
SHA1 hash: 885ffc2518a2f95729d893db7e74c06985ef801c
MD5 hash: dd20f7012c9b8a409dc42e47850ee048
humanhash: april-kansas-mexico-venus
File name:2.msi
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:22'479'360 bytes
First seen:2022-08-22 19:57:53 UTC
Last seen:2022-08-22 21:00:02 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:HbkjdbQ0s7smqYd2/36hU1cvjd8nyRAZmbEKjJm0lV0FsUVxGaZ9+Wg8lwu:QmsT1/qTvfAZqEXAVgo8lP
Threatray 30 similar samples on MalwareBazaar
TLSH T1BB3723C2F751052AFD9F477296FB4E1C493EEDAC9B60234F69E0730525B38920A6B193
TrID 66.7% (.MSI) Microsoft Windows Installer (454500/1/170)
16.5% (.MSM) Windows Installer Merge Module (113019/2/34)
8.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
6.5% (.MSP) Windows Installer Patch (44509/10/5)
1.1% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:msi RemoteManipulator signed

Code Signing Certificate

Organisation:Remote Utilities, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-23T00:00:00Z
Valid to:2023-02-21T23:59:59Z
Serial number: 0846c280ebf8186918d2d682392e53a7
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7a7c9fdf332cd218ade9a2e69c6b165c975a13ecf468baa564c21c8089b71d57
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
remoteadmin shell32.dll
Link:
https://www.filescan.io/uploads/6303dfe3c7e5977f84e5166c/reports/ad13a2b7-c3a3-4dda-af00-22a278798c75/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/77adc6a164ad03708451235e3e9ad9ba57f8d8815fee3ff0164f1c0d72cef0ef
Result
Threat name:
RMSRemoteAdmin, Remote Utilities
Create hunting rule
Detection:
suspicious
Classification:
troj.evad
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1055852
Signature
Detected Remote Utilities RAT
Malicious sample detected (through community Yara rule)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6w4nilevubxbbcrenpd5gwzxjl7rwebl7xd74awj4oa24wo6dxq._file
Verdict:
malicious
Similar samples:
56cec810fc6f445e17a04306b653bb3296b55fe481b518c9aca4b1ef69824a3e
RemoteManipulator
94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f
RemoteManipulator
bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9
RemoteManipulator
cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea
RemoteManipulator
d74f00989c51e8c7ea20038e712df510ee4f0eab405666634036ba255462a59f
RemoteManipulator
ee3eeb0939e2e1b3ee54b369f044f5f666a64cf74d55c278dcfdf4c278a53214
RemoteManipulator
+ 20 additional samples on MalwareBazaar
Result
Malware family:
rurat
Create hunting rule
Score:
  10/10
Tags:
family:rurat backdoor trojan
Link:
https://tria.ge/reports/220822-yptjgacefp/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
RuRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/77adc6a164ad03708451235e3e9ad9ba57f8d8815fee3ff0164f1c0d72cef0ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments