MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423
SHA3-384 hash: c16c1d56e84e401eb787cc390fc2aa724b07ce3d5fc53323bf273fb85090fa5b6a4552b8ccfe132f31ae512fb325bacd
SHA1 hash: 519a968fe267b9bf77f7ff2ba1074e8e20202d60
MD5 hash: ad65a509881ef712234bb07cb1165a46
humanhash: blossom-kilo-mike-bacon
File name:ad65a509881ef712234bb07cb1165a46.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'621'719 bytes
First seen:2022-08-18 04:26:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep 98304:HXz+89bq0C+fRXzclLI6bei3yTu8HsXwKcuj:3K8Bq0DfaN/3yTSAUj
TLSH T13426333E7090447BC1253A328E2B8272B73EBD159E3CC9DFB7DC595829233652E613A5
TrID 86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon c1dcdccda6a8cec6 (2 x DarkVisionRAT, 1 x Formbook, 1 x AveMariaRAT)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
80.89.239.149:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.89.239.149:5655 https://threatfox.abuse.ch/ioc/843916/

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
officedeploymenttool_15330-20230.exe
Verdict:
Malicious activity
Analysis date:
2022-08-02 01:53:17 UTC
Tags:
installer loader rat rms
Link:
https://app.any.run/tasks/6c97aca0-c364-49db-bd12-c068264fd3e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299456/
Detection(s):
SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Searching for the window
Creating a file in the %AppData% directory
Modifying a system file
Creating a process from a recently created file
Creating a file in the Windows subdirectories
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29353/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
fingerprint greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fdbfb2eb0bf1e2c6e688df/reports/5bfa2918-644e-4510-b592-ac274bfc95cb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ba43ac86-93c6-405f-9849-c58abc122384
Result
Threat name:
RMSRemoteAdmin, xRAT, DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1053533
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Detected xRAT
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686050 Sample: bx5wKtlGZk.exe Startdate: 18/08/2022 Architecture: WINDOWS Score: 72 68 Multi AV Scanner detection for domain / URL 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 8 other signatures 2->74 10 bx5wKtlGZk.exe 19 6 2->10         started        process3 file4 48 C:\...\officedeploymenttool_15330-20230.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\...\microsoft360.vbs, ISO-8859 10->50 dropped 52 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 10->52 dropped 84 Potential malicious VBS script found (has network functionality) 10->84 14 wscript.exe 16 10->14         started        19 officedeploymenttool_15330-20230.exe 2 25 10->19         started        signatures5 process6 dnsIp7 62 microsoft-360es.com 81.177.33.219, 49711, 80 RTCOMM-ASRU Russian Federation 14->62 54 C:\Users\user\AppData\Local\...\Start[1].exe, PE32 14->54 dropped 56 C:\ProgramData\Start.exe, PE32 14->56 dropped 64 System process connects to network (likely due to code injection or exploit) 14->64 21 Start.exe 16 17 14->21         started        58 C:\Users\user\setup.exe, PE32 19->58 dropped 66 Drops PE files to the user root directory 19->66 file8 signatures9 process10 file11 40 C:\ProgramData\Immunity\rutserv.exe, PE32 21->40 dropped 42 C:\ProgramData\...\webmvorbisencoder.dll, PE32 21->42 dropped 44 C:\ProgramData\...\webmvorbisdecoder.dll, PE32 21->44 dropped 46 6 other files (none is malicious) 21->46 dropped 76 Antivirus detection for dropped file 21->76 78 Multi AV Scanner detection for dropped file 21->78 80 Machine Learning detection for dropped file 21->80 25 cmd.exe 1 21->25         started        signatures12 process13 signatures14 82 Uses cmd line tools excessively to alter registry or file data 25->82 28 rutserv.exe 2 25->28         started        31 taskkill.exe 1 25->31         started        33 conhost.exe 25->33         started        35 21 other processes 25->35 process15 signatures16 86 Detected unpacking (overwrites its own PE header) 28->86 88 Machine Learning detection for dropped file 28->88 37 rutserv.exe 28->37         started        process17 dnsIp18 60 80.89.239.149, 49735, 49742, 5655 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 37->60
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-08-01 08:27:22 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcv33q7ildwamr4cn6pkmzreufkcjzfzy7tkajrudna7azupiqrq._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery persistence rat trojan
Link:
https://tria.ge/reports/220818-e234wshcdk/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
1b44c873eb9d2a37f01535b51e51facf6f15f79f36929437c7cc115d657ca483
MD5 hash:
fda1a9b62cb8287912189415294b7fd4
SHA1 hash:
e32d67060ad267f008e5e2890cc6814bc6872bf6
Link:
https://www.unpac.me/results/2af9cc88-7c8b-4546-9a7a-155a25efb72e/
SH256 hash:
98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423
MD5 hash:
ad65a509881ef712234bb07cb1165a46
SHA1 hash:
519a968fe267b9bf77f7ff2ba1074e8e20202d60
Link:
https://www.unpac.me/results/2af9cc88-7c8b-4546-9a7a-155a25efb72e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98abbdc3e858/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98abbdc3e858ec0647826f9ea66624a15424e4b9c7e6a026341b41f0668f4423

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299456/

Comments