MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

RemoteManipulator

Vendor detections: 9

Intelligence 9 IOCs 1 YARA 1 File information Comments

SHA256 hash:	d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b
SHA3-384 hash:	74007b163fdc5a4fe184f638267eb5c359e56b6c029a2320d65ea0a77502dd8e8d3a72b21d00cd359ace6c64808f9f0e
SHA1 hash:	9ba5c968ff30ffdbd23fc589ea42f4659c532bc3
MD5 hash:	b56b445af056b621aeed9626cad47d42
humanhash:	video-louisiana-shade-angel
File name:	b56b445af056b621aeed9626cad47d42.exe
Download:	download sample
Signature	RemoteManipulator Create hunting rule
File size:	11'552'496 bytes
First seen:	2021-07-15 09:06:24 UTC
Last seen:	2021-07-15 09:59:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep	196608:Ap99RjEKMW1hIuqzYlk3lHjko3lUBNWGQlXUzHWLPVy0hrctezW8MPXAmg:ARPKuyYlcIalONc1E240Nct6SQmg
Threatray	30 similar samples on MalwareBazaar
TLSH	T136C63357FBE68419D8FA8BBE49BE4B18076ABC892A1747CC0354B02D9C733805CA57C7
Reporter	abuse_ch
Tags:	exe RemoteManipulator

abuse_ch

RemoteManipulator C2:
85.192.165.221:80

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
85.192.165.221:80	https://threatfox.abuse.ch/ioc/160596/

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b56b445af056b621aeed9626cad47d42.exe

Verdict:

Malicious activity

Analysis date:

2021-07-15 09:14:09 UTC

Tags:

rat rms

Link:

https://app.any.run/tasks/4ddb592a-5d3e-4d14-8f2a-375c44e4f7b7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

RemoteUtilitiesRAT

Link:

https://www.capesandbox.com/analysis/171912/

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Packer.Exe-6

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a356e8a0-7c4c-4261-9126-c9e88a10ebf7

Result

Threat name:

RMSRemoteAdmin

Detection:

suspicious

Classification:

evad

Score:

30 / 100

Link:

https://www.joesandbox.com/analysis/816765

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b/

Threat name:

Win32.Trojan.RemoteUtilities

Status:

Malicious

First seen:

2020-07-04 06:20:00 UTC

AV detection:

6 of 29 (20.69%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ea5bxjlzzkifeof3a472syepixboopl543sluxcsi75irleuqnq._file

Verdict:

malicious

RemoteManipulator

118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1

RemoteManipulator

38602e2e2f729e174440339fd1551e133ae03d93e16bbcef8f0b9c8aa1da9b1c

RemoteManipulator

5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809

RemoteManipulator

6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad

RemoteManipulator

6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36

RemoteManipulator

7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73

RemoteManipulator

8fba783fb93013344dd2182721a3b1a3fbc96b7b8c49ad4b364c63a0f2b11496

RemoteManipulator

b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18

RemoteManipulator

ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb

RemoteManipulator

+ 20 additional samples on MalwareBazaar

Result

Malware family:

rms

Score:

10/10

Tags:

family:rms rat trojan upx

Link:

https://tria.ge/reports/210715-yxv97pbjkx/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in System32 directory

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

RMS

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

9baaabc50e97af3fef43a3ce99480198511f0df01ad1b455f27e48501e0b36bb

MD5 hash:

0b66883bf7c6828795a103a989e8387f

SHA1 hash:

1bcba3960057b2a59de4361530b66517265bf924

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

SH256 hash:

3e0436bd43e179fc9de5e615fdbf7cc89226d043bb1a3f83a1fbe1bad31c5bdc

MD5 hash:

d444024b642cec1367732b4297ad3189

SHA1 hash:

3abaf16561552f0f0a63beab34eb0a700edad986

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

SH256 hash:

0fb36a2a660dd899daf6eeb5d46f28d998d0b9afb53ded89f47bc03936e06aff

MD5 hash:

528ec935c96a89aec500bc27c13536c2

SHA1 hash:

9285ce32249377d5f9d8640de364771dd935e344

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

Parent samples :

6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
3237ff81fe1982520a0bb7675a156a419d3271971a024ae43b3e5aabaf10f6ef

SH256 hash:

8c788a09ccce42ef39f707477ec6f38a3f7a3b18c5751b4580ab787766e8baac

MD5 hash:

fe7135eb0e80228905b3c1116923eef7

SHA1 hash:

5aaa7e7f78e91ede83dd075b58b1a01aa98fb21b

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

SH256 hash:

4a2f824697922155097409c23630b9fc6e11c26b180511ecefa5fec78201392f

MD5 hash:

8d883de244ee0f8dabd218f83d991e31

SHA1 hash:

88eff0f887ecf236117abffb426b32db0ad4838d

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

SH256 hash:

524a74666a7638a049e98ab1b96f3dd1d6637adfa74aec453890c1fe6f13201d

MD5 hash:

f9f8a83364166037b5b86cfd00767dd6

SHA1 hash:

699b2878355b88eaea208e9ab3d581fb51448277

Detections:

win_rms_a0

win_rms_auto

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

Parent samples :

d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc

SH256 hash:

da531c8147e2189173129ea4283d2164a74c7e46833107558d1ca1cb92adf95d

MD5 hash:

fb0c84fa04034a1d8de262c8fb470da6

SHA1 hash:

aaa7b2085bc9dfdafd3d6433bbeb90dc6cfae911

Detections:

win_rms_a0

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

SH256 hash:

d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b

MD5 hash:

b56b445af056b621aeed9626cad47d42

SHA1 hash:

9ba5c968ff30ffdbd23fc589ea42f4659c532bc3

Link:

https://www.unpac.me/results/cdb232e8-35cc-42b5-8fdd-2f2aac73a785/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/d101d0dd2bce548291c5d839fd4b047a2e1739ebef3725d2e2923fd44564a41b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/171912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample