MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba
SHA3-384 hash: ac7d75bfe34839ca6c5efa5d611b74df38d48ddbb4408c31090b33248bb8326cfac8fcc5373ef13331ab7d38b3e3a975
SHA1 hash: 949bbc7eb298f29fc39beb5297fde49ab9175950
MD5 hash: 04c8196c86c206783bdb7ab846534328
humanhash: football-jupiter-floor-single
File name:04c8196c86c206783bdb7ab846534328.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:15'865'008 bytes
First seen:2022-03-14 19:26:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19b321cb7a9ce31c90397152f38b67ea (29 x RemoteManipulator)
ssdeep 196608:Lzzdgh2QAPv4iqRjw61TLaVALQgKnbENrotVhmTQruJCLPzPPqtVsg5Is8u4e10q:Lzmhe4BRRpaVLENmC47L08u4ggNVLKtz
TLSH T11BF63346F7E25818D4FB4B7A4DFE5B14032BBC981A13978D0365F02A5C7A3429D2A7CB
File icon (PE):PE icon
dhash icon c4dacabacac0c244 (47 x RemoteManipulator)
Reporter abuse_ch
Tags:exe RemoteManipulator signed

Code Signing Certificate

Organisation:Ter-Osipov Aleksey Vladimirovich
Issuer:thawte SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-06-12T00:00:00Z
Valid to:2021-06-10T23:59:59Z
Serial number: 3ac079ae78801b8d6822a30988e17dd2
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b3a39f4b7c172beae731f1310cbf6d73e19d1aba2ea3a622548adf8ad4ca2993
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
RemoteManipulator C2:
77.223.124.211:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
77.223.124.211:5655 https://threatfox.abuse.ch/ioc/395228/

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a service
Sending a custom TCP request
DNS request
Creating a file in the Windows subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/622f970cb94fb38cb47d5000/reports/3644d168-2433-4765-8132-67764ec8563e/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f2ab30f-acae-4f1b-bcc2-8a32f967b4c6
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
suspicious
Classification:
spyw.evad
Score:
34 / 100
Link:
https://www.joesandbox.com/analysis/956471
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 588954 Sample: NNmDumA3sA.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 34 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Tries to steal Mail credentials (via file registry) 2->43 45 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 2->45 9 NNmDumA3sA.exe 20 2->9         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\rutserv.exe, PE32 9->25 dropped 27 C:\Users\user\AppData\...\rfusclient.exe, PE32 9->27 dropped 29 C:\Users\user\...\webmvorbisencoder.dll, PE32 9->29 dropped 31 7 other files (none is malicious) 9->31 dropped 12 rfusclient.exe 3 9->12         started        process5 signatures6 51 Query firmware table information (likely to detect VMs) 12->51 15 rutserv.exe 2 12->15         started        process7 signatures8 53 Query firmware table information (likely to detect VMs) 15->53 18 rutserv.exe 8 10 15->18         started        process9 dnsIp10 33 109.234.156.179, 49783, 5655 SELECTELRU Russian Federation 18->33 35 main.internetid.ru 95.213.205.83, 49781, 5655 SELECTEL-MSKRU Russian Federation 18->35 37 3 other IPs or domains 18->37 47 Query firmware table information (likely to detect VMs) 18->47 22 rfusclient.exe 2 18->22         started        signatures11 process12 signatures13 49 Query firmware table information (likely to detect VMs) 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba/
Threat name:
Win32.Trojan.RemoteUtilities
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 00:51:19 UTC
File Type:
PE (Exe)
Extracted files:
85
AV detection:
9 of 27 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2m5qxtqouxtcxj2ibwhbkdqcdp4rkh2tbbaa3labuez7usuuzo5a._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms rat trojan upx
Link:
https://tria.ge/reports/220314-x54hyabdh8/
Behaviour
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
dfce76b3f2a24fcf78b0e5a5836ab2a0a89b20d0a2dc59a6d22b6ae1353c6476
MD5 hash:
6e3d18a8397d92f5bc3374eb546fa0db
SHA1 hash:
b9ddadfe119005d6bfb90ee03aa3c5ac6e401166
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
f27bd2379f5e9fcdf9c0cca98a43024bf6d04b3265f60c410fc67d936fa5b0f3
MD5 hash:
ed87ff9485fac3489daf1d31f33a16aa
SHA1 hash:
50aee59c83869f350c6ca57524d8da283a34455a
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
dfb8087a65e6b154fabf742fae9eb69720f7e2871dc33d986b8058f72a871a25
MD5 hash:
f3a754cc818d7218a09a734ecf7fbdca
SHA1 hash:
c9e48a6da74a18aba8102fef96ef1fdca0738932
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
ec2e2574a6b6443ad1f51e533d2f2bb429890c9cf03baad670f046c0f1e5305a
MD5 hash:
271e9be627042f677a8e02b73694a16d
SHA1 hash:
e5be0c3229fd661b7bada93c684bb25efeecad3b
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
f3d8ffb1a939bbe315f7331843545bbbce8e14f772c63fb613d24eeead91f8bf
MD5 hash:
de22c74d8173c6422edcf14249b2a744
SHA1 hash:
f869da1a67e636cf3de37773f2284b4229e1d58c
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
44140ce17c34664b7d8ab750cee272ef11aacdda1928c0811a77d7e3dc1b31ec
MD5 hash:
8b1c6685a847913ac2f36958139f4fe6
SHA1 hash:
619b543e32413fa54b52db3c5c34db48084511ad
Detections:
win_danabot_a1
Create hunting rule
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
6749afc5efcbce8933dff5a57e1a2f123585bd506e61a5e83e468b4589edf45e
MD5 hash:
1f82a28a9b614002df2b12fef3f2f690
SHA1 hash:
e51f89daf65d88c7387fd1920f1d29f6861bade7
Detections:
win_rms_a0
Create hunting rule
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
SH256 hash:
d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba
MD5 hash:
04c8196c86c206783bdb7ab846534328
SHA1 hash:
949bbc7eb298f29fc39beb5297fde49ab9175950
Link:
https://www.unpac.me/results/a27ef542-7b40-4645-a6a0-ffb757331cec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d33b0bce0ea5e62ba7480d8e150e021bf9151f5308400dac01a133fa4a94cbba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments