MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 4 File information Comments

SHA256 hash:	bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9
SHA3-384 hash:	830b23f4e655053dcd77f067ab20c490b3fd36de565fe904ee9f49f4fc0b9e5000a4e875e38562d94d16ba20235e387e
SHA1 hash:	67e66edb8ec5fdbd4662541e57800ba4a5e6b229
MD5 hash:	9d8fd3044460f6a4b876755ab299c634
humanhash:	salami-hot-mississippi-missouri
File name:	BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	16'976'560 bytes
First seen:	2021-09-26 23:02:16 UTC
Last seen:	2021-09-27 00:03:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	38be718d163809a15e0c7a672311fe41 (18 x RemoteManipulator)
ssdeep	393216:7k4NpfjGl7qLUnjN6DEjexRa3OPGZYPh9Oa07FuKk0pNKoEY2:7kAxg7qLw6QuA3OuZYC1jpNKoEY2
Threatray	16 similar samples on MalwareBazaar
TLSH	T133073353FBE14828D4BA4BBE4DBE5B14077ABC8D4A13578D0318F12A9CB274199B47CB
File icon (PE):
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator

abuse_ch

RemoteManipulator C2:
194.212.26.172:5656

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
194.212.26.172:5656	https://threatfox.abuse.ch/ioc/226897/

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

BBC131FDA4A9D5D10D774F609A121390BB56456F35842.exe

Verdict:

Malicious activity

Analysis date:

2021-09-26 23:07:21 UTC

Tags:

rat rms

Link:

https://app.any.run/tasks/a8fb7bf3-c6a0-459e-81af-bbdae7353177

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Packer.Exe-6

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Firewall traversal

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/81ba893e-1fa1-4a9e-bf10-19382975b4f6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9/

Threat name:

Win32.Trojan.RemoteUtilities

Status:

Malicious

First seen:

2021-06-03 22:22:27 UTC

AV detection:

5 of 28 (17.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xpatd7nevhk5cdlxj5qjueqtsc5vmrlpgwccbw4v2npps5qkzlmq._file

Verdict:

malicious

RemoteManipulator

2984d41816d24e4f00f4aabead77f558d25134f70099d0da610adcefce82126c

RemoteManipulator

4f3de0bbd4c3b60cf6e294374bc0a007d31961ea939248ea8ccd275ce8558d3e

RemoteManipulator

689ca59de6d01b808fa447086aefd829f18f5b628c279148220188ab95e66cf1

RemoteManipulator

c1fe973ec51d405df053a593909e50a2f6929e95966557e0b5188861ca983c56

RemoteManipulator

d74f00989c51e8c7ea20038e712df510ee4f0eab405666634036ba255462a59f

RemoteManipulator

ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d

RemoteManipulator

ee3eeb0939e2e1b3ee54b369f044f5f666a64cf74d55c278dcfdf4c278a53214

RemoteManipulator

+ 6 additional samples on MalwareBazaar

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/210926-21nzxafchn/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

RMS

Unpacked files

SH256 hash:

dfce76b3f2a24fcf78b0e5a5836ab2a0a89b20d0a2dc59a6d22b6ae1353c6476

MD5 hash:

6e3d18a8397d92f5bc3374eb546fa0db

SHA1 hash:

b9ddadfe119005d6bfb90ee03aa3c5ac6e401166

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

f27bd2379f5e9fcdf9c0cca98a43024bf6d04b3265f60c410fc67d936fa5b0f3

MD5 hash:

ed87ff9485fac3489daf1d31f33a16aa

SHA1 hash:

50aee59c83869f350c6ca57524d8da283a34455a

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

dfb8087a65e6b154fabf742fae9eb69720f7e2871dc33d986b8058f72a871a25

MD5 hash:

f3a754cc818d7218a09a734ecf7fbdca

SHA1 hash:

c9e48a6da74a18aba8102fef96ef1fdca0738932

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

ec2e2574a6b6443ad1f51e533d2f2bb429890c9cf03baad670f046c0f1e5305a

MD5 hash:

271e9be627042f677a8e02b73694a16d

SHA1 hash:

e5be0c3229fd661b7bada93c684bb25efeecad3b

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

fddbc18a01dc975260aa5c5b4b45b5baf9e9bd0539eefa8a4a90469f07e9cc4c

MD5 hash:

1f385ac1c16dd7c77addac6e70d1b52a

SHA1 hash:

2bd8c36ae3b3813876f7aeec2b09fc7c54c6b7ce

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

f8b1fa19da3ce4c6aaa8aaa43df1dbd5156c3a6dc52afcab51c6e3a49c132b28

MD5 hash:

1259b71ca530267d2763c1530fe3f3bb

SHA1 hash:

7be854021bbcf53dc588b588c19dc40b65d43032

Detections:

win_rms_a0

win_rms_auto

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

ac4abf89b7d675b114bc21d07dc937ae3ed3dbd40135766ee69a534ed57e5bea

MD5 hash:

cb86c01df065abcceef63837e392bda1

SHA1 hash:

efdbb18b2104fe3b0b164e533990ade250cb1833

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

SH256 hash:

bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9

MD5 hash:

9d8fd3044460f6a4b876755ab299c634

SHA1 hash:

67e66edb8ec5fdbd4662541e57800ba4a5e6b229

Link:

https://www.unpac.me/results/911ee3f0-e333-4ace-89e1-8572310fa0f7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Adsterra_Adware_DOM Create hunting rule
Author:	IlluminatiFish
Description:	Detects Adsterra adware script being loaded without the user's consent

Rule name:	MALWARE_Win_RemoteUtilitiesRAT Create hunting rule
Author:	ditekSHen
Description:	RemoteUtilitiesRAT RAT payload

Rule name:	win_rms_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample