MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
SHA3-384 hash: 3b513c75a7da7877c5d1a414b7b4bef9ca3734d4b14e781ab6c5214695816da7f8e49dbb7df872ecbeb6846f8d56d1ce
SHA1 hash: 24a63050aa9b0964527b10c6a36c36136374ec40
MD5 hash: a65ab436f519ab4c9b64d2467b8efbb9
humanhash: fillet-kitten-equal-july
File name:ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:9'546'120 bytes
First seen:2021-02-23 08:11:22 UTC
Last seen:2021-02-25 08:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f38416762c94d29a8bc2c6865d1c9f2 (4 x RemoteManipulator)
ssdeep 196608:MeYjAVH2qGnhL+ETGTiq3TAnEuEM5PNiR/LK5FUVhlCNw3eFSkMji:32JlTjREuX5FgygC1FZMW
Threatray 10 similar samples on MalwareBazaar
TLSH B9A633D179AE5478ECF057F03CB46A864C767893BC74A21EAB19AE4E0FAB7801510773
Reporter JAMESWT_WT
Tags:OOO Fobos Remote Manipulator System RemoteManipulator signed

Code Signing Certificate

Organisation:OOO Fobos
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2021-02-10T00:00:00Z
Valid to:2022-02-10T23:59:59Z
Serial number: 7ddd3796a427b42f2e52d7c7af0ca54f
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 8737eb964b33dc89ff84a1835de9b01ab94ceab96dafff8288729c094439bb92
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
Verdict:
Malicious activity
Analysis date:
2021-02-23 08:14:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/445092e4-2424-467c-bbb8-2443b80f71d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118547/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Creating a file
Moving a recently created file
Sending a UDP request
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the window
Adding a root certificate
Creating a service
Launching a service
Deleting a recently created file
DNS request
Sending a custom TCP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/615005
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Installs new ROOT certificates
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses regedit.exe to modify the Windows registry
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356511 Sample: x4cXV3784J Startdate: 23/02/2021 Architecture: WINDOWS Score: 63 99 zen.hldns.ru 2->99 109 Antivirus detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->113 115 2 other signatures 2->115 13 x4cXV3784J.exe 2 2->13         started        16 rutserv.exe 2->16         started        20 svchost.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 87 C:\Users\user\AppData\...\x4cXV3784J.tmp, PE32 13->87 dropped 24 x4cXV3784J.tmp 5 15 13->24         started        91 zen.hldns.ru 185.220.102.6, 49750, 49753, 49754 ZWIEBELFREUNDEAT Germany 16->91 93 smtp.yandex.ru 77.88.21.158, 49758, 587 YANDEXRU Russian Federation 16->93 97 2 other IPs or domains 16->97 103 Query firmware table information (likely to detect VMs) 16->103 27 rfusclient.exe 16->27         started        30 rfusclient.exe 16->30         started        95 127.0.0.1 unknown unknown 20->95 file6 signatures7 process8 file9 81 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->81 dropped 83 C:\ProgramData\is-SQND3.tmp, PE32 24->83 dropped 85 C:\ProgramData\is-IDO3U.tmp, PE32+ 24->85 dropped 32 cmd.exe 5 24->32         started        125 Query firmware table information (likely to detect VMs) 27->125 36 rfusclient.exe 27->36         started        signatures10 process11 file12 69 C:\...\PasswordOnWakeSettingFlyout.exe, PE32+ 32->69 dropped 71 C:\Windows \System32\uxtheme.dll, PE32+ 32->71 dropped 105 Drops executables to the windows directory (C:\Windows) and starts them 32->105 38 PasswordOnWakeSettingFlyout.exe 32->38         started        40 conhost.exe 32->40         started        43 timeout.exe 1 32->43         started        107 Query firmware table information (likely to detect VMs) 36->107 signatures13 process14 signatures15 45 pass.exe 2 38->45         started        117 DLL side loading technique detected 40->117 process16 file17 89 C:\Users\user\AppData\Local\Temp\...\pass.tmp, PE32 45->89 dropped 48 pass.tmp 5 24 45->48         started        process18 file19 73 C:\ProgramData\Immunity\is-PNQKL.tmp, PE32 48->73 dropped 75 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 48->75 dropped 77 C:\ProgramData\Immunity\is-MN42F.tmp, PE32 48->77 dropped 79 3 other files (none is malicious) 48->79 dropped 51 cmd.exe 1 48->51         started        53 cmd.exe 1 48->53         started        process20 process21 55 rutserv.exe 2 51->55         started        59 rutserv.exe 4 51->59         started        61 rutserv.exe 1 2 51->61         started        67 2 other processes 51->67 63 regedit.exe 8 53->63         started        65 conhost.exe 53->65         started        dnsIp22 101 192.168.2.1 unknown unknown 55->101 119 Query firmware table information (likely to detect VMs) 55->119 121 DLL side loading technique detected 63->121 123 Installs new ROOT certificates 67->123 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3xfi7hifvid6sa5xdkuyemsssyxzdufbsk3z4ndprji7hh5zeewq._file
Verdict:
suspicious
Similar samples:
0824ce63c361616ff51da5dec25763aa14cf57b579416617e3b3390fe11c9ae1
RemoteManipulator
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73
RemoteManipulator
8f4d63fea00eca6d91147de6a10b7aae6069f164ef00d5986eff571249552dae
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
e5f575d9223be5a7a825f598e21b5ec4475ea6a9d58ad0e87932a57768908027
RemoteManipulator
ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-eaynz3w6ae/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Modifies system certificate store
Runs .reg file with regedit
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
744c544f2f88c7eb103de4291b965f6929d74098b14e1c1cb5326d20da9ca919
MD5 hash:
171cf4225f5b7055eac26bd5cdccfbd4
SHA1 hash:
c554d74c6c1a28baaff6124007efca0674709722
Link:
https://www.unpac.me/results/cd37257a-24b8-4e48-b910-802d6204ac7b/
SH256 hash:
ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d
MD5 hash:
a65ab436f519ab4c9b64d2467b8efbb9
SHA1 hash:
24a63050aa9b0964527b10c6a36c36136374ec40
Link:
https://www.unpac.me/results/cd37257a-24b8-4e48-b910-802d6204ac7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.86
Link:
https://yomi.yoroi.company/submissions/ddca8f9d05aa07e903b71aa9823252962f91d0a192b79e346f8a51f39fb9212d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:MALWARE_Win_RemoteUtilitiesRAT
Create hunting rule
Author:ditekSHen
Description:RemoteUtilitiesRAT RAT payload
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_rms_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/118547/

Comments