MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 841419d6c404a4baf5287348cbf0fce17fccbae5b64310fddbfc8bc356a1bae1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 841419d6c404a4baf5287348cbf0fce17fccbae5b64310fddbfc8bc356a1bae1
SHA3-384 hash: 1302d5899630386da0b5c5331dfbbf3ffce581c64fbe20ec850442c7bec822cf053ed6671f0645a1a0cf5f589f9879a4
SHA1 hash: e84adcdbc23395854e39d2082bc459eaf04463d7
MD5 hash: 9057886546e2ad3656540b219789444b
humanhash: maine-saturn-white-seventeen
File name:_______ ___ ______.bin
Download: download sample
File size:6'770'089 bytes
First seen:2020-07-27 06:54:56 UTC
Last seen:2020-07-28 07:47:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c769210c368165fcb9c03d3f832f55eb (8 x RemoteManipulator, 1 x QuasarRAT)
ssdeep 98304:XWBqmAJ/Emwy8+ftSX6ctjsusY7jHFc4jLUctY9mZRUxFHzpA4so+qtihriOD:XeqN/wypgq8Aus0HOQLLpUxHF+qtipiA
Threatray 21 similar samples on MalwareBazaar
TLSH F9663306BBF6CE75CA3186BF07587378BE5EAF6502E43E4B125C395E1C71E80C441AA6
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32690/
Detection(s):
Win.Malware.Smdd-6922230-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a service
Launching a service
Deleting a recently created file
Enabling autorun for a service
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/398320
Signature
Contains functionality to detect sleep reduction / modifications
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251353 Sample: _______ ___ ______.bin Startdate: 27/07/2020 Architecture: WINDOWS Score: 60 37 Multi AV Scanner detection for submitted file 2->37 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->39 41 Uses ping.exe to check the status of other devices and networks 2->41 43 Contains functionality to detect sleep reduction / modifications 2->43 7 _______ ___ ______.exe 5 2->7         started        9 rutserv.exe 2 2->9         started        12 rutserv.exe 1 2->12         started        14 3 other processes 2->14 process3 dnsIp4 16 cmd.exe 1 7->16         started        35 136.243.81.2, 49732, 49733, 49734 HETZNER-ASDE Germany 9->35 18 rfusclient.exe 9->18         started        20 rfusclient.exe 9->20         started        process5 process6 22 PING.EXE 1 16->22         started        25 msiexec.exe 16->25         started        27 msiexec.exe 16->27         started        31 3 other processes 16->31 29 rfusclient.exe 18->29         started        dnsIp7 33 127.0.0.1 unknown unknown 22->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/841419d6c404a4baf5287348cbf0fce17fccbae5b64310fddbfc8bc356a1bae1/
Threat name:
Win32.Trojan.RemoteUtilities
Create hunting rule
Status:
Malicious
First seen:
2020-07-27 00:55:35 UTC
File Type:
PE (Exe)
Extracted files:
538
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
448d16e169b0dbd23a9e3f5776016684b37fe6b85c465a00ab640fec9890ef84
7eb6c877d1a6affaad00507e3c50d476b0099d09a3320f90d7bdaa6dd1c98571
845f1bcb80321f9183258fdcd714a4ca61a26b02590dd02cf4bd4cb07c757cdd
9fc5081ba3c1a4473ac1ffa3d653096afa16684a3e819ce6745bc22d38bb97f9
e33456c26d161b3464acdc104271289dced8f4e5f5b35786635ec111501c1405
f67199b0786c1f42961d5324ec4e6b698f39b3fc480863e2fe489c6dec72da60
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro discovery
Link:
https://tria.ge/reports/200727-8fs5vn4k82/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Runs ping.exe
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: SetClipboardViewer
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates connected drives
Checks installed software on the system
Enumerates connected drives
Checks installed software on the system
Loads dropped DLL
Loads dropped DLL
Blacklisted process makes network request
Suspicious Office macro
Executes dropped EXE
Blacklisted process makes network request
Suspicious Office macro
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/841419d6c404a4baf5287348cbf0fce17fccbae5b64310fddbfc8bc356a1bae1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32690/

Comments