MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 6 File information Comments

SHA256 hash:	cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea
SHA3-384 hash:	bf1f621c6a49ff20bdea9b098896661b520b86837b46d4deb628dd75fedc60598da4dddb079ecde84f588c7ecca7e82a
SHA1 hash:	b575cf708602d0285e97071dc7bee8daef415832
MD5 hash:	99fdd1d682a0c2999731ad61b2c0cc2e
humanhash:	johnny-mississippi-spaghetti-hamper
File name:	99fdd1d682a0c2999731ad61b2c0cc2e.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	17'269'872 bytes
First seen:	2022-07-14 18:20:50 UTC
Last seen:	2022-07-14 22:04:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	38be718d163809a15e0c7a672311fe41 (18 x RemoteManipulator)
ssdeep	393216:YfdYUDnIXid6KrMleGADjXUlQuEPrDLQCLs6JAYkujUwX:YF5Kid6KroeG1mL5aub
TLSH	T19407336BE7E68825D4FB47BA09BD8B20177ABCC918138B8D1366B02D4C7778158743DB
TrID	66.6% (.EXE) UPX compressed Win32 Executable (27066/9/6) 11.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.MZP) WinArchiver Mountable compressed Archive (3000/1) 4.9% (.EXE) OS/2 Executable (generic) (2029/13) 4.9% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	c4dacabacac0c244 (47 x RemoteManipulator)
Reporter	abuse_ch
Tags:	exe RemoteManipulator signed

Code Signing Certificate

Organisation:	Remote Utilities LLC
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2020-08-18T00:00:00Z
Valid to:	2022-08-18T23:59:59Z
Serial number:	aab0e5906afead7b956937974d8016ef
Intelligence:	13 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	cae7c89d5c445a4d774e14192fbcc6bb80658f183cec22da8146317446c33628
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

RemoteManipulator C2:
80.95.202.4:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
80.95.202.4:5655	https://threatfox.abuse.ch/ioc/837468/

Intelligence

File Origin

# of uploads :

# of downloads :

363

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

rurat

ID:

File name:

99fdd1d682a0c2999731ad61b2c0cc2e.exe

Verdict:

Malicious activity

Analysis date:

2022-07-14 18:24:17 UTC

Tags:

rat rurat

Link:

https://app.any.run/tasks/d07ec131-49cd-43e2-a37a-15c74b66b84d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

PUA.Win.Packer.Upx-4

PUA.Win.Packer.Exe-6

PUA.Win.Tool.RemoteUtilities-9869515-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

Launching a service

DNS request

Sending a custom TCP request

Searching for the window

Сreating synchronization primitives

Creating a window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

greyware overlay packed remoteadmin

Link:

https://www.filescan.io/uploads/62d05e9101fde6ede6823151/reports/f668f4a5-ede2-49d0-9942-273a681cdd8e/overview

Result

Verdict:

MALICIOUS

Malware family:

Remote Utilities RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7e6c7a57-4306-4ff9-b3d6-9cfe3c2b7ffe

Result

Threat name:

RMSRemoteAdmin

Detection:

malicious

Classification:

spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1031723

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z5o2lknywfwzdqzlthidph7woknueydp6oh65fcldhses56i6lva._file

Verdict:

malicious

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/220714-wza4rsdag5/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

UPX packed file

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

a63fe702c778f952948d80111daaff466b5dc93a64c1dfa2af9f75bf55e22cfd

MD5 hash:

87100633b4a75331a8409a497f8370b1

SHA1 hash:

01dbb5d92590125cf59e42e6106e6050be3c4beb

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

ae2c70e7adaf87d651b123e1ba89575f692eb48599f13a2c296caf155600d347

MD5 hash:

4210da833efe9decbe9248f1350dd27f

SHA1 hash:

6408c38b595fd140068686313a26af78ee9c1568

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

f93dfd03fb2e60394ddaac651eb2a0fdb8353f6aab04160d9c31bb3d359e83e4

MD5 hash:

c9eb45179b6a4fa5ac8d80bc15cafb40

SHA1 hash:

c7216b264bd96b44fc741443c07910afe7d8c624

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

b675c40e8021a3c1d3918d266c92d4125d4fa2e80b72e7161ebc24b45c801387

MD5 hash:

b37b8328a167c87abbb9f19ccce5245a

SHA1 hash:

7f660856347430bfd5fafac9c47eba079295ac21

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

8fed25090ad30eb4d0b61b2de3f93d935bad799befe10491b88669085e1ea480

MD5 hash:

c1a46b9bf24be7152a79face24f6937f

SHA1 hash:

7623e7d2dde70fcca41d95e9b85c8425e9976a8e

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

Parent samples :

0c41e02ef1c8837307ffbfe5e3c97116808ced2214d34a5517ac732bc2c3baa7
8c4a21abb710c7461e914ffaac2e0e0bd9f787ecea09c40eb6fcebee6c0b7459
3dcace7d338614daae6b307208d1f01b287cd1e9d747e04311110fe315ae37a7
b2d82a1342c45a9e369b7c894dc85a2ba43b0b439b30c40bc70659d073769823

SH256 hash:

be4b7f3e2eaddc844c318e0a649a66c9803b7a88764bc5787a8918729a076b5c

MD5 hash:

2f816a984702c49e4deaab294a2a19a6

SHA1 hash:

7ef3435f8971c00669a2689d4bdc38a1ed0cf82b

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

e5f20248cbbb6547216cb781490424d85a47be064326aa273302a8bc9e83dcff

MD5 hash:

f3bbaaeb4b6ae5ebe56811b71f3d48fb

SHA1 hash:

03962f5461dc85479b95c8fe930f3453ac566e99

Detections:

win_rms_a0

win_rms_auto

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

51a02791f79eca08e2453f9177a5ac4fa08539e5030d5f0e0a9512adcf97aa65

MD5 hash:

26f6bc57c63455cb9fd33be95fea628f

SHA1 hash:

a609762d2cd2661b088ddba6ff207a713e781eb3

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

SH256 hash:

cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea

MD5 hash:

99fdd1d682a0c2999731ad61b2c0cc2e

SHA1 hash:

b575cf708602d0285e97071dc7bee8daef415832

Link:

https://www.unpac.me/results/3738362c-02a2-49f1-a846-8f83f533f91c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf5da5a9b8b16d91c32b99d0379ff6729b42606ff38fee944b19e44977c8f2ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	MALWARE_Win_RemoteUtilitiesRAT Create hunting rule
Author:	ditekSHen
Description:	RemoteUtilitiesRAT RAT payload

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	win_rms_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample