MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 6


Intelligence 6 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf
SHA3-384 hash: 0da113ec99dd189395c63b8778ea01102fbee45e0fae6eeeec087255c9e87e13417737905b0921fba1e741060dbefcab
SHA1 hash: 48a4f90b48584a75f9f508459495d227272f1ed4
MD5 hash: b0a2f08191a6073136a838d0ae99da8a
humanhash: yellow-ack-emma-avocado
File name:B0A2F08191A6073136A838D0AE99DA8A.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:18'023'936 bytes
First seen:2021-07-30 22:11:12 UTC
Last seen:2021-07-30 22:40:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep 393216:n5kP+zYFoXdABsAkx59qz+hs46vM1mIeihll0i0hqiK:n5P2slzXhN6vM1Xfudhq
Threatray 36 similar samples on MalwareBazaar
TLSH T1AE0733C3E3F00859E8FF533699F75F1C5A2AFCAC5A31230E19D0B15A64A3E9608566D3
dhash icon c0dacabacac0c244 (20 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
109.195.195.159:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
109.195.195.159:5655 https://threatfox.abuse.ch/ioc/164973/

Intelligence

File Origin
# of uploads :
2
# of downloads :
582
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B0A2F08191A6073136A838D0AE99DA8A.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-30 22:14:44 UTC
Tags:
rat rms
Link:
https://app.any.run/tasks/a445d1bf-a755-4bee-a2cc-aecb8dd0a481

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/824726
Signature
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457138 Sample: HVP968APlE.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 52 25 aist73.com 2->25 31 Multi AV Scanner detection for submitted file 2->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->33 8 rutserv.exe 11 10 2->8         started        11 HVP968APlE.exe 5 2->11         started        13 svchost.exe 1 2->13         started        15 8 other processes 2->15 signatures3 process4 dnsIp5 27 aist73.com 109.195.195.159, 49768, 5651, 5655 ULSK-ASRU Russian Federation 8->27 17 rfusclient.exe 8->17         started        19 rfusclient.exe 8->19         started        21 msiexec.exe 11->21         started        29 192.168.2.1 unknown unknown 13->29 process6 process7 23 rfusclient.exe 17->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf/
Threat name:
Win32.Trojan.RemoteUtilities
Create hunting rule
Status:
Malicious
First seen:
2021-07-27 23:09:47 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wcoihteseq6bjhnhfllahgerzqzi6lvobl65gj76gy5zwdkcs67q._file
Verdict:
malicious
Similar samples:
075ec6ffbc5779e54c73a41b478b0bd6534f6cd5db435b8226d76c50012b267f
RemoteManipulator
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
38602e2e2f729e174440339fd1551e133ae03d93e16bbcef8f0b9c8aa1da9b1c
RemoteManipulator
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
RemoteManipulator
d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery upx
Link:
https://tria.ge/reports/210730-kxe17kkzw6/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
880311842c3946bb3851b225e4712a26ca8ff0f69d4106dcd04fda37c07df5d4
MD5 hash:
9346339308daa25841098b315f34b6e2
SHA1 hash:
d8ca4e13f434ed8903c736d14bcf9237a41c3968
Link:
https://www.unpac.me/results/a5b59e78-09c9-4d63-8949-af19c038aa55/
SH256 hash:
b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf
MD5 hash:
b0a2f08191a6073136a838d0ae99da8a
SHA1 hash:
48a4f90b48584a75f9f508459495d227272f1ed4
Link:
https://www.unpac.me/results/a5b59e78-09c9-4d63-8949-af19c038aa55/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.33
Link:
https://yomi.yoroi.company/submissions/b09c83cc92243c149da72ad6039891cc328f2eae0afdd327fe363b9b0d4297bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments