MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496
SHA3-384 hash: 66f42323213dfddc6084fee3fde5138cc9638942e54f372eaded990115f19d9a156477d6e4482fdc6a32af9eb71cdc6b
SHA1 hash: b7b066342aa9c227e549746a600346906ee9c24c
MD5 hash: c2873f34ebec63388a5b2f560870844e
humanhash: tennis-december-alabama-leopard
File name:c2873f34ebec63388a5b2f560870844e.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'313'321 bytes
First seen:2021-03-13 07:45:25 UTC
Last seen:2021-03-13 09:48:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (54 x GuLoader, 17 x RemcosRAT, 16 x AgentTesla)
ssdeep 98304:YqkRs5Hf8FyHH0qNLF2zr9RJw8tqMMycCedzqFX7:YxKWyHHxyr9lXctgl7
Threatray 15 similar samples on MalwareBazaar
TLSH FD163309CAD2AE63D93612B41CEAD63D3656EE291A66C34238CD9D7B3029FC1C71075F
Reporter abuse_ch
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c2873f34ebec63388a5b2f560870844e.exe
Verdict:
Suspicious activity
Analysis date:
2021-03-13 07:48:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/860ba7e4-6c4a-4ee6-93f7-22cd787259de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/124054/
Detection(s):
SecuriteInfo.com.Program.Unwanted.2520.12407.23216.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Searching for the window
Deleting a recently created file
Creating a file
Creating a process from a recently created file
Creating a window
Creating a process with a hidden window
Sending a custom TCP request
Running batch commands
Launching a process
Launching a service
Launching the process to change the firewall settings
Loading a system driver
Enabling autorun for a service
Forced shutdown of a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/638486
Signature
Machine Learning detection for sample
Modifies security policies related information
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368220 Sample: lHmJMVkjMn.exe Startdate: 13/03/2021 Architecture: WINDOWS Score: 80 54 Multi AV Scanner detection for dropped file 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Machine Learning detection for sample 2->58 60 4 other signatures 2->60 7 lHmJMVkjMn.exe 7 35 2->7         started        11 siggsrv.exe 2 2->11         started        13 tsusbhub.sys 3 2->13         started        15 2 other processes 2->15 process3 file4 40 C:\Users\user\AppData\Local\...\RDP_3199.exe, PE32 7->40 dropped 42 C:\Program Files\WerifSing\siggsrv.exe, PE32 7->42 dropped 44 C:\Users\user\AppData\Local\Temp\Log375.xml, XML 7->44 dropped 46 7 other files (none is malicious) 7->46 dropped 64 Modifies security policies related information 7->64 17 RDP_3199.exe 2 4 7->17         started        21 cmd.exe 1 7->21         started        23 siggsrv.exe 4 2 7->23         started        signatures5 process6 dnsIp7 38 C:\Program Files\Affiliation\eclipse.dll, PE32+ 17->38 dropped 62 Multi AV Scanner detection for dropped file 17->62 26 netsh.exe 3 17->26         started        28 conhost.exe 17->28         started        30 conhost.exe 21->30         started        32 schtasks.exe 1 21->32         started        34 schtasks.exe 1 21->34         started        36 schtasks.exe 1 21->36         started        48 213.252.246.63, 49741, 49743, 49750 IST-ASLT Lithuania 23->48 50 127.0.0.1 unknown unknown 23->50 52 192.168.2.1 unknown unknown 23->52 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r65hqp5zgajtitosdatsdi5rup54s233rre22szwjrr2b4vrcsla._file
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
RemoteManipulator
6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73
RemoteManipulator
8f4d63fea00eca6d91147de6a10b7aae6069f164ef00d5986eff571249552dae
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
e5f575d9223be5a7a825f598e21b5ec4475ea6a9d58ad0e87932a57768908027
RemoteManipulator
ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210313-7tengbr2a6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Unpacked files
SH256 hash:
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
MD5 hash:
f27689c513e7d12c7c974d5f8ef710d6
SHA1 hash:
e305f2a2898d765a64c82c449dfb528665b4a892
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
MD5 hash:
2b7007ed0262ca02ef69d8990815cbeb
SHA1 hash:
2eabe4f755213666dbbbde024a5235ddde02b47f
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
MD5 hash:
4b0617493f32b2b5fe5e838eeb885819
SHA1 hash:
336e84380420a9caaa9c12af7c8e530135e63c57
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
06fb0d66c6a95d1cba14bdd0d733bda5778fcd98be068f4c17378862e9ceb9b6
MD5 hash:
020871859cc25cbb5520db2da544ca61
SHA1 hash:
f2eedbac8cf67892489c176f6476f3e63fdf9585
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b
MD5 hash:
51b15fc8de1a07851f648ffe4362e5ca
SHA1 hash:
b8215e0a97424eff245eaf196ed4fccd154723b6
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
60b727d6aa1469d7b9efec8669368e6018d4363150466029d9a77afe545671d9
MD5 hash:
7cfdbba38658c1410f20010796d94bf2
SHA1 hash:
777f1195a6e8140f92248ebfff02dd55730de09c
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb
MD5 hash:
b52ac2b928342ee016739834af802beb
SHA1 hash:
1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
37dd96230521a91dc7eba0d0a4fe8726b4405562b1a96363a01e28334bde94fd
MD5 hash:
567103638bb0c81cf9bd86f727ea12ac
SHA1 hash:
ddc03ea66412f11b5975092f92067a85d29d17b1
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218
MD5 hash:
d53c32cedd3d4c37d0a35183ec531ed9
SHA1 hash:
1184372024a780df8234ac67c4a5db4d303adbc5
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
389881d639df3cb31b001a7c5e37147d995d5e26784f71a077e78c3a55a27f4d
MD5 hash:
bd6e63b9e6d7920c156d7312eb9443f3
SHA1 hash:
a05043567cd36f5a7c467e01a5ecedeba03901b3
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
3c243d61989f2bc8b15d48aa0732cebaa982e4ada9c43535b9d0fce2c193be54
MD5 hash:
9239dcb0a2a270141797431e78890281
SHA1 hash:
9811375cf3f702b1e2d95ca9f5bbbf2f81a4bd91
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
0791336fa267d5042a268032291dbdccac3f23fbce49563a240e1d5b2861456d
MD5 hash:
91eb781a03a80ef4b065822496f768b2
SHA1 hash:
201e1d30b1da6426b26d4f0e3847e98b8e436bbb
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
SH256 hash:
8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496
MD5 hash:
c2873f34ebec63388a5b2f560870844e
SHA1 hash:
b7b066342aa9c227e549746a600346906ee9c24c
Link:
https://www.unpac.me/results/a607a36a-3e81-4ec9-88cd-9ff7af74bb65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DanaBot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe 8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/975095/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124054/

Comments