MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4
SHA3-384 hash: ee8f95fe3847247128584c1f049c00ba4fd54ec5ac5fde49b852e954f78d82b0276b775afbe7a72f4ae16961c64e3997
SHA1 hash: d4de1e14ba048fb84c1a07c219c29250fe75c425
MD5 hash: 2b1c6b4cba59ddf1d4c6169abc172807
humanhash: eight-arkansas-stairway-sixteen
File name:Постанова суду про стягнення коштів за позовом.scr
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:25'081'001 bytes
First seen:2024-09-18 02:16:35 UTC
Last seen:2024-10-29 15:47:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 393216:KFUdsDVaXmmxi0hm3M9av7G7SZOhVoV0KR6eggtImkNE01toiXZ2sCG12LeBisIP:j+yRhbatOhVe6egCkNPtoC2u2y1IIK
TLSH T1DA473347FB5609E8C5A3AB74884299C2F1713C8D0391E70F32563A3A7E3B3B16935B59
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter DoberGroup
Tags:873901 exe RemoteManipulator RMS scr sfx UAC-0050

Intelligence

File Origin
# of uploads :
2
# of downloads :
452
Origin country :
UA UA
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
https://bitbucket.org/court_gov_ua/files/downloads/Dokumenty.zip
Verdict:
Malicious activity
Analysis date:
2024-09-17 12:52:15 UTC
Tags:
rat rms
Link:
https://app.any.run/tasks/e0be1a3b-bf03-4106-aad1-7e2dadb7b4f1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ea3822f72de0d131be967b
Tags:
Generic Network Stealth Agent
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4
Result
Verdict:
UNKNOWN
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1512402
Signature
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (overwrites its own PE header)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1512402 Sample: 3e#U043c.scr Startdate: 17/09/2024 Architecture: WINDOWS Score: 96 54 Suricata IDS alerts for network traffic 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 4 other signatures 2->60 7 msiexec.exe 95 95 2->7         started        10 rutserv.exe 9 54 2->10         started        14 3e#U043c.scr 4 5 2->14         started        16 2 other processes 2->16 process3 dnsIp4 38 C:\Program Files (x86)\...\rutserv.exe, PE32 7->38 dropped 40 C:\Program Files (x86)\...\rfusclient.exe, PE32 7->40 dropped 42 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 7->42 dropped 44 41 other files (none is malicious) 7->44 dropped 18 rutserv.exe 3 7->18         started        21 rutserv.exe 2 7->21         started        23 rfusclient.exe 6 7->23         started        33 2 other processes 7->33 46 101.99.75.142, 49741, 49742, 49743 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 10->46 48 103.144.139.157, 49744, 49780, 49817 GIGABIT-MYGigabitHostingSdnBhdMY unknown 10->48 50 65.21.245.7, 49745, 49781, 49818 CP-ASDE United States 10->50 68 Query firmware table information (likely to detect VMs) 10->68 25 rfusclient.exe 10->25         started        27 rutserv.exe 10->27         started        29 rfusclient.exe 10->29         started        31 msiexec.exe 14->31         started        52 127.0.0.1 unknown unknown 16->52 file5 signatures6 process7 signatures8 62 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->62 64 Query firmware table information (likely to detect VMs) 25->64 35 rfusclient.exe 25->35         started        process9 signatures10 66 Query firmware table information (likely to detect VMs) 35->66
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-09-18 04:14:16 UTC
File Type:
PE+ (Exe)
Extracted files:
1007
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42dnblp6vakgirpi2trevab5mvirrknhwwlygnplqtxfwfk7rxka._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/240918-cqpq1sxgrn/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Embeds OpenSSL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Blocklisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/459ae4d7-09d1-4a4d-918f-3cb7ff92b287
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e686d0adfea8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_APT29_WINELOADER_Backdoor
Create hunting rule
Author:daniyyell
Description:Detects APT29's WINELOADER backdoor variant used in phishing campaigns, this rule also detect bad pdf,shtml,htm and vbs or maybe more depends
Reference:https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemoteManipulator

Executable exe e686d0adfea8146445e8d4e24a803d655118a9a7b5978335eb84ee5b155f8dd4

(this sample)

  
Link
https://www.vmray.com/analyses/_vt/e686d0adfea8/report/process_graph.svg
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments