MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae20798a24a3a7dbc44ad8d9182fd4cd289ed89a96e5f0ee430e329b710af522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 11

Intelligence 11 IOCs 1 YARA 5 File information Comments

SHA256 hash:	ae20798a24a3a7dbc44ad8d9182fd4cd289ed89a96e5f0ee430e329b710af522
SHA3-384 hash:	3c7cb1cc2358c5c7782b70f8759578533440c27763ab7749a3b42e6ce925a4fac241b113cc7f433dfbc40ff711836a99
SHA1 hash:	3c2f0503b02a80619e55c444b1dbf66b48328d47
MD5 hash:	1132ead4499f0ce2b021432b83ca4b76
humanhash:	massachusetts-october-network-fix
File name:	1132ead4499f0ce2b021432b83ca4b76.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	24'902'104 bytes
First seen:	2022-09-19 23:31:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	03ddf423826fa1fcd7b9b240c54fc40f (4 x RemoteManipulator)
ssdeep	393216:0bUBx1ZrzDywEvRYeHuCZYKmvJITDqgM+evGXioV1S64G790KxcPD+l:Xri2eL6K/aYioD4Gii
TLSH	T18B47F117B388643DD07B1A3A4937A714963FBEB1353A9D476BE8184C4E392806E3E747
TrID	50.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 32.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 5.4% (.EXE) Win32 Executable (generic) (4505/5/1) 3.6% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator

abuse_ch

RemoteManipulator C2:
192.70.196.65:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
192.70.196.65:5655	https://threatfox.abuse.ch/ioc/850575/

Intelligence

File Origin

# of uploads :

# of downloads :

365

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

rms

ID:

File name:

1132ead4499f0ce2b021432b83ca4b76.exe

Verdict:

Malicious activity

Analysis date:

2022-09-19 23:32:04 UTC

Tags:

rat rms

Link:

https://app.any.run/tasks/d15d18b0-19e6-40ff-af25-6386eb97d4a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.Exe-6

PUA.Win.Packer.AcprotectUltraprotect-1

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a service

Sending a custom TCP request

Creating a file in the Windows subdirectories

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38192/overview

Behaviour

MalwareBazaar

CheckNumberOfProcessor

LanguageCheck

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint greyware keylogger overlay packed remoteadmin windows

Link:

https://www.filescan.io/uploads/6328fbbbe64c53f047f650df/reports/a42f6f11-dd22-4578-a70f-cbfe1d1595a9/overview

Result

Verdict:

MALICIOUS

Gathering data

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vyqhtcreuot5xrck3dmrql6uzuuj5we2s3s7b3sdbyzjw4ik6ura._file

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/220919-3hpzxsbfh6/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Unknown

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/252c8733-f9a5-4614-85eb-5e8f240f89be

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ae20798a24a3/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae20798a24a3a7dbc44ad8d9182fd4cd289ed89a96e5f0ee430e329b710af522

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RemoteUtilitiesRAT Create hunting rule
Author:	ditekSHen
Description:	RemoteUtilitiesRAT RAT payload

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	win_rms_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample