MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
SHA3-384 hash: c8e8c5fdf6231163b7b636a03f2043db39d42927ad1e7dc4373cee7122f381fdbaceea83a7d0ab433c34d872a468945d
SHA1 hash: dc1425cfd5569bd59f5d56432df875b59da9300b
MD5 hash: 73f351beae5c881fafe36f42cde9a47c
humanhash: vegan-low-moon-october
File name:73f351beae5c881fafe36f42cde9a47c.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:8'684'106 bytes
First seen:2021-12-28 03:41:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c769210c368165fcb9c03d3f832f55eb (8 x RemoteManipulator, 1 x QuasarRAT)
ssdeep 196608:PdQ5Lq4eAGPJgBDpKLtW0tzHlYd3cvF8m9k/RRZpAp2FG0c+imhtO:P2VqyC8mQ0vxN79kpR40cUO
TLSH T1CB9633057B489DF7C3F1963B28506830E5F63BAC0B22B5AF92D0E763DB99A8087345D5
File icon (PE):PE icon
dhash icon fce4ceded86c7871 (4 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
77.247.243.43:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.247.243.43:5655 https://threatfox.abuse.ch/ioc/288174/

Intelligence

File Origin
# of uploads :
1
# of downloads :
257
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
73f351beae5c881fafe36f42cde9a47c.exe
Verdict:
No threats detected
Analysis date:
2021-12-28 03:44:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c4a87f1-5ba8-4f20-b197-6f1e67979dd4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216641/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Launching a process
Sending an HTTP GET request
DNS request
Modifying a system file
Creating a file in the Windows subdirectories
Sending a custom TCP request
Creating a file in the Program Files subdirectories
Creating a service
Creating a file
Running batch commands
Launching a service
Searching for the window
Enabling autorun for a service
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/3371/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed remoteadmin
Link:
https://www.filescan.io/uploads/61ca878f4ab5c44cbf543d67/reports/2b23ad3a-c234-4202-87d9-3ce9140a9bee/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/37f42428-4c67-4dac-a1cd-e3c9883f435d
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/913355
Signature
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 545833 Sample: p7AoA1Gev5.exe Startdate: 28/12/2021 Architecture: WINDOWS Score: 80 60 Antivirus / Scanner detection for submitted sample 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 3 other signatures 2->66 8 msiexec.exe 98 92 2->8         started        11 p7AoA1Gev5.exe 5 2->11         started        13 svchost.exe 2->13         started        16 11 other processes 2->16 process3 dnsIp4 46 C:\Program Files (x86)\...\rutserv.exe, PE32 8->46 dropped 48 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 8->48 dropped 50 server_start_C0086...8A26292A601EBE2.exe, PE32 8->50 dropped 54 35 other files (none is malicious) 8->54 dropped 19 rutserv.exe 8->19         started        21 rutserv.exe 1 8->21         started        23 rutserv.exe 8->23         started        25 msiexec.exe 8->25         started        52 C:\Users\user\AppData\Local\...\installer.exe, PE32 11->52 dropped 27 installer.exe 2 11->27         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 13->70 30 MpCmdRun.exe 13->30         started        56 77.247.243.43, 49758, 5655 MSTN-ASRU Russian Federation 16->56 58 192.168.2.1 unknown unknown 16->58 32 rfusclient.exe 16->32         started        34 rfusclient.exe 16->34         started        file5 signatures6 process7 signatures8 68 Contains functionality to detect sleep reduction / modifications 27->68 36 cmd.exe 27->36         started        38 msiexec.exe 27->38         started        40 conhost.exe 30->40         started        42 rfusclient.exe 32->42         started        process9 process10 44 conhost.exe 36->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 07:40:00 UTC
File Type:
PE (Exe)
Extracted files:
648
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uauic3mxifkayymebenuvy6e4qvrat4q7y5rpjk5bzfkjrgehasa._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery rat trojan
Link:
https://tria.ge/reports/211228-d9c21addd6/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
RMS
Unpacked files
SH256 hash:
bd82623c11226fa5af74fdc8919ace4bbd538a2ea273c78c24c68d523126004b
MD5 hash:
36eb4b99f302ec3ffdf150bce45fd802
SHA1 hash:
c7f89058e4bac495c1630687db2c035018879cd3
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/79cda7a1-0ded-459c-9fff-0af4b35dc983/
SH256 hash:
a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824
MD5 hash:
73f351beae5c881fafe36f42cde9a47c
SHA1 hash:
dc1425cfd5569bd59f5d56432df875b59da9300b
Link:
https://www.unpac.me/results/79cda7a1-0ded-459c-9fff-0af4b35dc983/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a028816d9741540c6184091b4ae3c4e42b104f90fe3b17a55d0e4aa4c4c43824

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/216641/

Comments