MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745
SHA3-384 hash: bd698c9fed1eba965dda06864cbe162b044ef1011be863ce7ba82c4531d210b20ed2ef67173a13b03a54ce75896f79dc
SHA1 hash: b9263c3d68a76051e2fd36abf81d3cd5e5c543be
MD5 hash: 535e0fbe6d492d5fac6fa01b3a7a43ff
humanhash: twelve-golf-steak-sodium
File name:Электронный договор денежного займа № 189887338883773.exe
Download: download sample
File size:8'950'372 bytes
First seen:2020-10-01 10:37:30 UTC
Last seen:2020-10-01 11:50:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c769210c368165fcb9c03d3f832f55eb (8 x RemoteManipulator, 1 x QuasarRAT)
ssdeep 196608:TKk+/1f/mq0MFyaaQglAr9g+9adTm5ZavD/GehEsNwr9mN1eQnn3SIP7AxPl:TIh/707pB2hgsahm+7GwuVQnniwm
TLSH 02963399E55845B0ED5993362E3ACE749323BE6E2934A96C19CC7C2B3FFB6D71021013
Reporter vm001cn
Tags:RAT RuRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67384/
Detection(s):
SecuriteInfo.com.Program.RemoteAdmin.753.24396.4685.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Modifying a system file
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Creating a service
Launching a service
Creating a file
Running batch commands
Deleting a recently created file
Enabling autorun for a service
Result
Threat name:
RMSRemoteAdmin Remote Utilities
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/479221
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected Remote Utilities RAT
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292052 Sample: 38883773.exe Startdate: 01/10/2020 Architecture: WINDOWS Score: 84 40 Antivirus / Scanner detection for submitted sample 2->40 42 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->42 44 Detected Remote Utilities RAT 2->44 46 2 other signatures 2->46 8 38883773.exe 5 2->8         started        11 rutserv.exe 3 2->11         started        15 rutserv.exe 1 2->15         started        17 3 other processes 2->17 process3 dnsIp4 34 C:\Users\user\AppData\Local\...\installer.exe, PE32 8->34 dropped 19 installer.exe 2 8->19         started        36 111.90.140.23, 443, 5651, 8080 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 11->36 56 Detected Remote Utilities RAT 11->56 22 rfusclient.exe 11->22         started        24 rfusclient.exe 11->24         started        38 192.168.2.1 unknown unknown 15->38 file5 signatures6 process7 signatures8 48 Multi AV Scanner detection for dropped file 19->48 50 Machine Learning detection for dropped file 19->50 52 Contains functionality to detect sleep reduction / modifications 19->52 26 cmd.exe 1 19->26         started        28 msiexec.exe 19->28         started        54 Detected Remote Utilities RAT 22->54 30 rfusclient.exe 22->30         started        process9 process10 32 conhost.exe 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745/
Threat name:
Win32.Backdoor.RaBased
Create hunting rule
Status:
Malicious
First seen:
2020-10-01 10:39:07 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro discovery
Link:
https://tria.ge/reports/201001-6ksx45s1dx/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: SetClipboardViewer
Drops file in Program Files directory
Drops file in Windows directory
Checks installed software on the system
Enumerates connected drives
JavaScript code in executable
Loads dropped DLL
Blacklisted process makes network request
Executes dropped EXE
Suspicious Office macro
Unpacked files
SH256 hash:
5dc698a4d7a544d070ca294d1874e0578e208561529ae150d35366a10df2dd37
MD5 hash:
36f6bcdbf0c2831ba4275ed8a1bcf79f
SHA1 hash:
1bfc654ca4d1739c49ac86fefbae10df94c21ffb
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/ac367d81-dd2d-4f9f-84ca-46d831562dd8/
SH256 hash:
d17d90fd24419ddb868f945754b80e7da8eb570179e2dc867beeb769b7136745
MD5 hash:
535e0fbe6d492d5fac6fa01b3a7a43ff
SHA1 hash:
b9263c3d68a76051e2fd36abf81d3cd5e5c543be
Link:
https://www.unpac.me/results/ac367d81-dd2d-4f9f-84ca-46d831562dd8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/67384/

Comments