MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f
SHA3-384 hash: 05817a4e2c0b468d157c4dfbd3a523707bf3ee37599c56d5264ea21bfea7f74a472f1da58654c07e0551b47569078d01
SHA1 hash: 7c9bf87daa9c7f894dcfdaa19e75808938db9f51
MD5 hash: 54a57c4a0b4891ad3ea90bdf833beed7
humanhash: eighteen-ack-ack-magnesium
File name:94E4D5FCC31FC37AA29B3D042BC2C0295B66592F33730.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:17'174'640 bytes
First seen:2022-06-26 17:31:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 38be718d163809a15e0c7a672311fe41 (18 x RemoteManipulator)
ssdeep 196608:/KUhrgqNFW2KjXtamH4r+YD7WMHJb4xPST6Q5Vitl4u8Oq9wTi6p7kNTuzp3Diky:/fdeXtaCQ5vJHVV5VmI9AJpuspp8
Threatray 74 similar samples on MalwareBazaar
TLSH T1BB073387FBE58819C4FF0ABB49BD5B100B39BCA45923938D1399F12D0C363459AA53DB
TrID 66.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
4.9% (.EXE) OS/2 Executable (generic) (2029/13)
4.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c4dacabacac0c244 (47 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator signed

Code Signing Certificate

Organisation:Remote Utilities LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2020-08-18T00:00:00Z
Valid to:2022-08-18T23:59:59Z
Serial number: aab0e5906afead7b956937974d8016ef
Intelligence: 13 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: cae7c89d5c445a4d774e14192fbcc6bb80658f183cec22da8146317446c33628
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RemoteManipulator C2:
185.163.117.35:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.163.117.35:5655 https://threatfox.abuse.ch/ioc/729155/

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a service
Sending a custom TCP request
DNS request
Searching for the window
Creating a file in the Windows subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware overlay packed remoteadmin remotecontrol
Link:
https://www.filescan.io/uploads/62b897d81fcdba4e1a5c2ff0/reports/727f4f32-b18d-4a13-85e7-681905ac17ae/overview
Result
Verdict:
MALICIOUS
Malware family:
Remote Utilities RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e98a1569-6696-4c02-b38e-ab881d224db5
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1020001
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f/
Threat name:
Win32.PUA.MiscX
Create hunting rule
Status:
Malicious
First seen:
2022-06-23 14:54:45 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
8 of 26 (30.77%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=stsnl7gdd7bxviu3huccxqwaffnwmwjpgnzq4bpcrcnju2ptf5pq._file
Verdict:
malicious
Similar samples:
22ecf75f81c4e67a889f0f89adee960deb071e289b84c4cb6002d744b08f2492
RemoteManipulator
56cec810fc6f445e17a04306b653bb3296b55fe481b518c9aca4b1ef69824a3e
RemoteManipulator
78dedaf861e8a8b88b1419aebf37a74be707f531dce0804f970c70f372b2a247
RemoteManipulator
d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba
RemoteManipulator
d74f00989c51e8c7ea20038e712df510ee4f0eab405666634036ba255462a59f
RemoteManipulator
ee3eeb0939e2e1b3ee54b369f044f5f666a64cf74d55c278dcfdf4c278a53214
RemoteManipulator
+ 64 additional samples on MalwareBazaar
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms rat trojan upx
Link:
https://tria.ge/reports/220626-v3q4qadgb6/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
a63fe702c778f952948d80111daaff466b5dc93a64c1dfa2af9f75bf55e22cfd
MD5 hash:
87100633b4a75331a8409a497f8370b1
SHA1 hash:
01dbb5d92590125cf59e42e6106e6050be3c4beb
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
ae2c70e7adaf87d651b123e1ba89575f692eb48599f13a2c296caf155600d347
MD5 hash:
4210da833efe9decbe9248f1350dd27f
SHA1 hash:
6408c38b595fd140068686313a26af78ee9c1568
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
f93dfd03fb2e60394ddaac651eb2a0fdb8353f6aab04160d9c31bb3d359e83e4
MD5 hash:
c9eb45179b6a4fa5ac8d80bc15cafb40
SHA1 hash:
c7216b264bd96b44fc741443c07910afe7d8c624
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
b0d97f72021b6d5e3ca6d3ae609f1642dff7563917756f97a73a2e1b4ddb0165
MD5 hash:
1b6739ebf514ab7e59aa367c174c4c96
SHA1 hash:
62581a716b7e8a2760e7ef7c5e02cd1101b89785
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
8fed25090ad30eb4d0b61b2de3f93d935bad799befe10491b88669085e1ea480
MD5 hash:
c1a46b9bf24be7152a79face24f6937f
SHA1 hash:
7623e7d2dde70fcca41d95e9b85c8425e9976a8e
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
Parent samples :
0c41e02ef1c8837307ffbfe5e3c97116808ced2214d34a5517ac732bc2c3baa7
8c4a21abb710c7461e914ffaac2e0e0bd9f787ecea09c40eb6fcebee6c0b7459
3dcace7d338614daae6b307208d1f01b287cd1e9d747e04311110fe315ae37a7
b2d82a1342c45a9e369b7c894dc85a2ba43b0b439b30c40bc70659d073769823
SH256 hash:
49964b396a2dba71f675dd62b18b33c88a6f1a0178d6e82c97e687d83aec0a36
MD5 hash:
b6f721fd738f5c745584ce9fe359084c
SHA1 hash:
a7b04fc7bfe6b5972d3d6760768dc249190e8297
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
82541db0bd803ba9e41f2086fb2aed96c13ee1d6d0f30b1220e1f013358949f5
MD5 hash:
6b1372cb1ea2d0a6281013eb07b1810e
SHA1 hash:
60c9125ef3cb70310c0d5acd231e66a82fb87128
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
7983cf080de056481f7432999282f95b9ff72d5d37b976fbb3c7e03a6fc8d423
MD5 hash:
b6daf55ddff4723d964253fdd6c5c7a6
SHA1 hash:
9f01976d10aec622098a59efd9d8fcfb0b3cf298
Detections:
win_rms_a0
Create hunting rule
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
SH256 hash:
94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f
MD5 hash:
54a57c4a0b4891ad3ea90bdf833beed7
SHA1 hash:
7c9bf87daa9c7f894dcfdaa19e75808938db9f51
Link:
https://www.unpac.me/results/e14289e4-2e20-4219-ac24-f4674ada731d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94e4d5fcc31f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/94e4d5fcc31fc37aa29b3d042bc2c0295b66592f33730e05e2889a9a69f32f5f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sectigo_Code_Signed
Create hunting rule
Description:Detects code signed by the Sectigo RSA Code Signing CA
Reference:https://bazaar.abuse.ch/export/csv/cscb/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments