MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52
SHA3-384 hash: 86c16fd0db696b2dcdf8856a27e3dfa995de9cbf25e7ff41a525ef1693f100aa66b0fe7436b0413fb3b0b1d7209138a1
SHA1 hash: 4f987789b181c9b08b75dcc3d483e105fe20ac44
MD5 hash: 1914e8fc1ec7159220e039c0e9898413
humanhash: xray-neptune-missouri-winter
File name:1914e8fc1ec7159220e039c0e9898413.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:2'541'624 bytes
First seen:2021-02-14 12:56:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a1496c94d52a035fe47259ee6587b7 (5 x RemoteManipulator, 2 x CoinMiner, 1 x WSHRAT)
ssdeep 49152:LUclPhp9vH1VjR6bpB+wdsgKhyZf6ENdzcxE1TnB3IaN3zpJoGDGDaFfSgfNZ:11ybCg4yZSENdzfTnB4aN3rfSgFZ
Threatray 18 similar samples on MalwareBazaar
TLSH 44C5125D63A451E4E9B36538CF91DA36D7B13C000B32C39F22E55E4B3F9B2D2492AB61
Reporter abuse_ch
Tags:exe RemoteManipulator

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1914e8fc1ec7159220e039c0e9898413.exe
Verdict:
No threats detected
Analysis date:
2021-02-14 12:58:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c211b065-be34-41c5-96c8-e169376ec5f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117074/
Detection(s):
SecuriteInfo.com.PowerShell.Siggen.1892.18387.2827.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Launching cmd.exe command interpreter
Launching a process
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Deleting a recently created file
Sending a UDP request
Forced system process termination
Creating a file in the Windows subdirectories
Launching the process to interact with network services
Launching a service
Loading a system driver
Enabling autorun for a service
Downloading the file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
75 / 100
Link:
https://www.joesandbox.com/analysis/607567
Signature
Adds a new user with administrator rights
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates a Windows Service pointing to an executable in C:\Windows
Creates files in alternative data streams (ADS)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Sigma detected: Dot net compiler compiles file from suspicious location
Uses cmd line tools excessively to alter registry or file data
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352812 Sample: T2SVD92vHi.exe Startdate: 14/02/2021 Architecture: WINDOWS Score: 75 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Sigma detected: Dot net compiler compiles file from suspicious location 2->85 87 2 other signatures 2->87 11 T2SVD92vHi.exe 11 2->11         started        process3 file4 61 C:\Users\user\AppData\...\Readme.txt:meta, Microsoft 11->61 dropped 63 C:\Users\user\AppData\Local\...\Readme.txt, ASCII 11->63 dropped 89 Creates files in alternative data streams (ADS) 11->89 15 cmd.exe 1 11->15         started        signatures5 process6 process7 17 wscript.exe 1 15->17         started        20 cmd.exe 1 15->20         started        22 conhost.exe 1 15->22         started        24 more.com 1 15->24         started        signatures8 75 Wscript starts Powershell (via cmd or directly) 17->75 77 Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes) 17->77 26 powershell.exe 60 17->26         started        31 extrac32.exe 10 20->31         started        process9 dnsIp10 73 192.168.2.1 unknown unknown 26->73 65 C:\Windows\Branding\mediasvc.png, PE32+ 26->65 dropped 67 C:\Windows\Branding\mediasrv.png, PE32+ 26->67 dropped 69 C:\Users\user\AppData\...\nhiqtgl4.cmdline, UTF-8 26->69 dropped 91 Uses cmd line tools excessively to alter registry or file data 26->91 93 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 26->93 95 Adds a new user with administrator rights 26->95 97 Powershell drops PE file 26->97 33 reg.exe 26->33         started        36 csc.exe 26->36         started        39 csc.exe 26->39         started        41 8 other processes 26->41 71 C:\Users\user\AppData\Local\Temp\ready.ps1, ASCII 31->71 dropped file11 signatures12 process13 file14 79 Creates a Windows Service pointing to an executable in C:\Windows 33->79 57 C:\Users\user\AppData\Local\...\nhiqtgl4.dll, PE32 36->57 dropped 43 cvtres.exe 36->43         started        59 C:\Users\user\AppData\Local\...\qv1gfzy5.dll, PE32 39->59 dropped 45 cvtres.exe 39->45         started        47 cmd.exe 41->47         started        49 conhost.exe 41->49         started        51 conhost.exe 41->51         started        53 2 other processes 41->53 signatures15 process16 process17 55 net.exe 47->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52/
Threat name:
Win64.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-02-14 12:06:44 UTC
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3etp4rb4btvwlzym2zfmhumko7lv2a4uq3ywtdn5ca6dzwrn75ja._file
Verdict:
malicious
Similar samples:
1ac9d42a596c55757b4f37e6291887149a6070bfedb4e27a86cf3cff4d76f2a2
RemoteManipulator
261603776412fc9028feb04ba71a42c5d6bd99c0e4fbb4610d19e6d649dba700
RemoteManipulator
2c8ea0f991d74146f056e4ed453e92ad1798daf2878f5520f54cf3d70d607613
RemoteManipulator
4bc8c57bc1c743b7607ba2e15670591551241fd3b129c266c5894159e72d1c72
RemoteManipulator
72239d0cba7a80895957b43d854680fb2fefbaa8b1f68b001ce5905c32ddcde1
RemoteManipulator
772dab859fd099f0c1373b3fb4fec7aaca42ed71daabe1d1a413e3c66cc4f14d
RemoteManipulator
8524ec166f99c15c47d3498db31df912b9f735ab341737421cf12032d00acaa7
RemoteManipulator
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
RemoteManipulator
ba483bee9e68e055952e71255eb24bd6ca52c1238d3efe96bcb66506e80e6792
RemoteManipulator
f6f7f3647e865740ab06d24f66219a519f2b60572d424deb9273e919222d9376
RemoteManipulator
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210214-hqgvrrqre6/
Behaviour
NTFS ADS
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52
MD5 hash:
1914e8fc1ec7159220e039c0e9898413
SHA1 hash:
4f987789b181c9b08b75dcc3d483e105fe20ac44
Link:
https://www.unpac.me/results/f6d5a961-0b04-412e-9d0c-f4e46652225a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RemoteManipulator

Executable exe d926fe443c0ceb65e70cd64ac3d18a77d75d039486f1698dbd103c3cda2dff52

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1000963/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/975095/
Cape
Cape
https://www.capesandbox.com/analysis/117074/

Comments