MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c72abb73f39b466cd8b230c1fd9d6c1bf46573db11038eaa407d47976eb317eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c72abb73f39b466cd8b230c1fd9d6c1bf46573db11038eaa407d47976eb317eb
SHA3-384 hash: 58d75158d908a97a1bb48b04c41612e458b214e74cd92f84ff9238b4cecf9e41afd608ab47c2b5511d55cdbe9b0f9430
SHA1 hash: 147b1fb641742ff2fa817a8d171709df4ccd94f5
MD5 hash: 8d4daeeff29c85053d2bb0caa4eabb72
humanhash: island-mirror-avocado-social
File name:SecuriteInfo.com.Trojan.DownLoader28.59869.14828.16845
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:18'472'960 bytes
First seen:2020-06-02 09:34:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4e32de247ebbe7be0b887583036c343 (1 x RemoteManipulator)
ssdeep 196608:fBG9obGp/PJEVlI9aDYxpxPsK2vhE3U9jYrcg4xxPFAK66m3V+g:5v+hKW9aDYxpxkhE3wjbPFAK6h3gg
Threatray 16 similar samples on MalwareBazaar
TLSH 3A178D12B385943AD06B1A3A4C3B9698683F7B312B29CC9767F41D8C4F356C16B3A747
Reporter SecuriteInfoCom
Tags:RemoteManipulator

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Packer.Pseudosigner-36
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader28.59869.14828.16845.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Dealply-6619244-0
Create hunting rule

PUA.Win.Adware.Browsefox-6628766-0
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Rms
Create hunting rule
Status:
Malicious
First seen:
2019-06-17 14:48:36 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5
RemoteManipulator
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
RemoteManipulator
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
RemoteManipulator
8e7116f27e8c84422d2d5612765b45166a1a1144774a52e5107d74a7884e758f
RemoteManipulator
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
RemoteManipulator
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
RemoteManipulator
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
e2136c8268bb5be4fe2a295a9bb9250c00437452cd3d65822290e3a68b1fb94b
RemoteManipulator
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201109-wfgpqk42v2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Modifies data under HKEY_USERS
Drops file in Windows directory
Modifies service
JavaScript code in executable
Checks computer location settings
Loads dropped DLL
Disables RegEdit via registry modification
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe c72abb73f39b466cd8b230c1fd9d6c1bf46573db11038eaa407d47976eb317eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/201408/
  
Delivery method
Distributed via web download

Comments