MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b4e974a65677792d97fdcb35bba28c1e961b6b32c99b4baa81bfdd7c85348bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b4e974a65677792d97fdcb35bba28c1e961b6b32c99b4baa81bfdd7c85348bd
SHA3-384 hash: 02b65dc3e2879312b8343596b230ecf17fb029fab90809f648209057b2fff7c1274a82e9e15e95acd039c11af341da07
SHA1 hash: 916eacdc0c0b2c7f7d1ebae963d8edda8631e424
MD5 hash: 00349c28a5f82e5617e4ca2410cc4b21
humanhash: zulu-september-early-winter
File name:00349c28a5f82e5617e4ca2410cc4b21.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:5'683'709 bytes
First seen:2021-10-27 16:21:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 98304:V2PKZFOvjUOdHmNkiA+A4hyWwdMwNqSbpO5G2VexeMnLQcGA6KG307QVv:VQcyjUsmNkiAG9wddsSbpO5G2VHG03KI
TLSH T115463387A638496BC19ACFBA4835D176117B5D7E383AB28E7100F112FB777B2042E674
File icon (PE):PE icon
dhash icon b6c88a981c8ef696 (1 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
64.20.61.146:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
64.20.61.146:5655 https://threatfox.abuse.ch/ioc/238466/

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200646/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

ditekSHen.MALWARE.Win.Trojan.RemoteUtilitiesRAT.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Pseudosigner-36
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Searching for the window
Deleting a recently created file
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Firewall traversal
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed remoteadmin virus
Link:
https://www.filescan.io/uploads/61797cada9d585e6d53b848d/reports/36757d99-92be-43dc-acfd-316ca542cb26/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d6471785-3b5b-44bf-9fbc-4ce66b30875d
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/877927
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b4e974a65677792d97fdcb35bba28c1e961b6b32c99b4baa81bfdd7c85348bd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-08-04 17:28:00 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnhjostfm53zfwl73szvxoriyhuwdnvtfsm3jovidp65psctjc6q._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms rat trojan
Link:
https://tria.ge/reports/211027-tt8rqshcbm/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Unpacked files
SH256 hash:
0fd5b88150c7fe903ee3561cb676deaa29df0f1b0471698f59605931ee82fd5d
MD5 hash:
38705505e1d8feb05cb0d52b15899a12
SHA1 hash:
e8e5e824129d87a7de1c3c6b02871bd1d1ed65f1
Link:
https://www.unpac.me/results/09b50c92-ff3e-4fdf-be37-cd07b3a9b6b8/
SH256 hash:
0113f07cb952009b7e5a14b6fb38e5658ae66b8eeba9035691aacd782546b6e3
MD5 hash:
57e66e9224b89d0f8181a4aa02031c9a
SHA1 hash:
74af9b8dc26cc243a23b1ed1848c318d860b423f
Detections:
win_danabot_a1
Create hunting rule
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/09b50c92-ff3e-4fdf-be37-cd07b3a9b6b8/
SH256 hash:
2cf0ef4f1ae0a625b73dd48a0f0b97fcbadd6e274501c130d0fc232a747dfa9d
MD5 hash:
092edec3cac8550e8e382a258b38fd04
SHA1 hash:
3fb4f39ecbfd49d9bc79c1a98b114155e48fda16
Link:
https://www.unpac.me/results/09b50c92-ff3e-4fdf-be37-cd07b3a9b6b8/
SH256 hash:
9a81af4168efbe65090bf966212b776053c01876273d1d1be7f196bbb7e7a429
MD5 hash:
0ad97a338153b415f5b98b2b044f5fe8
SHA1 hash:
98aff60fe1a8afa2474fc5b76330e9c9269943de
Link:
https://www.unpac.me/results/09b50c92-ff3e-4fdf-be37-cd07b3a9b6b8/
SH256 hash:
8b4e974a65677792d97fdcb35bba28c1e961b6b32c99b4baa81bfdd7c85348bd
MD5 hash:
00349c28a5f82e5617e4ca2410cc4b21
SHA1 hash:
916eacdc0c0b2c7f7d1ebae963d8edda8631e424
Link:
https://www.unpac.me/results/09b50c92-ff3e-4fdf-be37-cd07b3a9b6b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b4e974a65677792d97fdcb35bba28c1e961b6b32c99b4baa81bfdd7c85348bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200646/

Comments