MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
SHA3-384 hash: 70a455c17303d1f39423f0547da6996b0387aa0ff1cbc4a14cc19e6689e766045c3f8245651ff96c7ebc15b506d39c5a
SHA1 hash: d3a18f9612dbc77563af00d4320b434f13b1384c
MD5 hash: a4bcc3d83db92af30efb92b91c173fde
humanhash: purple-oranges-winter-william
File name:QBikGim.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:4'277'450 bytes
First seen:2021-02-15 17:07:25 UTC
Last seen:2021-02-15 20:01:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7eae418c7423834ffc3d79b4300bd6fb (51 x GuLoader, 16 x RemcosRAT, 15 x AgentTesla)
ssdeep 98304:6WE8PHm2xRsBxIhM3wuu1NzJxUMkQDmBziWl:6WLPG2DOJwb1xJ+Z37
Threatray 11 similar samples on MalwareBazaar
TLSH F21633296325DD5CF1BB54328DBED482E5828D2913B482016F413B7EB8F17CB6E8A357
Reporter ffforward
Tags:exe RemoteManipulator remoteutilities RuRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QBikGim.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-15 17:10:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a1d84f67-2b93-4fe8-93a2-7ca0757538c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RemoteUtilitiesRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117197/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Malware.Gamemodding-6726308-0
Create hunting rule

PUA.Win.Packer.Pseudosigner-36
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Creating a window
Sending a UDP request
Launching a service
DNS request
Creating a file
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Deleting a recently created file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/608253
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353157 Sample: QBikGim.exe Startdate: 15/02/2021 Architecture: WINDOWS Score: 68 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Machine Learning detection for sample 2->45 47 2 other signatures 2->47 7 QBikGim.exe 4 25 2->7         started        10 Beasley.exe 2 2->10         started        process3 file4 27 C:\Program Files\...\Beasley.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\registry.dll, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 7->31 dropped 33 4 other files (none is malicious) 7->33 dropped 12 cmd.exe 1 7->12         started        14 Beasley.exe 2 7->14         started        process5 process6 16 conhost.exe 12->16         started        18 schtasks.exe 1 12->18         started        20 schtasks.exe 1 12->20         started        22 schtasks.exe 1 12->22         started        24 Beasley.exe 4 2 14->24         started        dnsIp7 35 192.119.14.178, 49730, 5655 24SHELLSUS United States 24->35 37 id.remoteutilities.com 209.205.218.178, 49722, 49729, 5655 24SHELLSUS United States 24->37 39 192.168.2.1 unknown unknown 24->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5uqp7bpv35mhcqhapahbnjplfdpzjynwgmgievw6hhmuwwtxf2bq._file
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
RemoteManipulator
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
RemoteManipulator
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
RemoteManipulator
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
RemoteManipulator
6c8a5f43e07034d0545c60c137f96c6ab8da44cfd59a8654896c8f6c497aefad
RemoteManipulator
6dda990d8073fee71cedeabd622f6d7a9be6fb2e696bda71e7b709f1c08f5e36
RemoteManipulator
7cebce024d5351e0179898fffce2628756bdcd33f9ce3833f922f1265b6e5f73
RemoteManipulator
b5961f407c0afef04c9406ba17cbae3fe4cc575b47e50081abbda0d96f9c0f18
RemoteManipulator
e5f575d9223be5a7a825f598e21b5ec4475ea6a9d58ad0e87932a57768908027
RemoteManipulator
ee0400adcec67d05e4b6825df53ff7e5fb5d86680a65264976940239c322d9fb
RemoteManipulator
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210215-g7bdp3nema/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
b2d091876f67554a3e9929dbcc3c212942ea5999e41cf4f9eac8cd77b863c861
MD5 hash:
9272eb9dc06fce3952ca340e6715d8d8
SHA1 hash:
43bb6a2d92537b73f5246a1d04a3075964351ecb
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
f344713a08459675b6db6fc79e93f7813d8793af6fd9a2c8c64aa1a0a0e0d218
MD5 hash:
d53c32cedd3d4c37d0a35183ec531ed9
SHA1 hash:
1184372024a780df8234ac67c4a5db4d303adbc5
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
MD5 hash:
8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 hash:
7cc1caaa747ee16dc894a600a4256f64fa65a9b8
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
0fb36a2a660dd899daf6eeb5d46f28d998d0b9afb53ded89f47bc03936e06aff
MD5 hash:
528ec935c96a89aec500bc27c13536c2
SHA1 hash:
9285ce32249377d5f9d8640de364771dd935e344
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
Parent samples :
6fb6cffbc9d37606dee6240083b2f3db1747a819ee84d2db3d1e2bc5937e93cc
3237ff81fe1982520a0bb7675a156a419d3271971a024ae43b3e5aabaf10f6ef
SH256 hash:
8c788a09ccce42ef39f707477ec6f38a3f7a3b18c5751b4580ab787766e8baac
MD5 hash:
fe7135eb0e80228905b3c1116923eef7
SHA1 hash:
5aaa7e7f78e91ede83dd075b58b1a01aa98fb21b
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
MD5 hash:
4b0617493f32b2b5fe5e838eeb885819
SHA1 hash:
336e84380420a9caaa9c12af7c8e530135e63c57
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d
MD5 hash:
2b7007ed0262ca02ef69d8990815cbeb
SHA1 hash:
2eabe4f755213666dbbbde024a5235ddde02b47f
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
MD5 hash:
f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 hash:
b058e3fcfb7b550041da16bf10d8837024c38bf6
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47
MD5 hash:
f27689c513e7d12c7c974d5f8ef710d6
SHA1 hash:
e305f2a2898d765a64c82c449dfb528665b4a892
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
SH256 hash:
ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83
MD5 hash:
a4bcc3d83db92af30efb92b91c173fde
SHA1 hash:
d3a18f9612dbc77563af00d4320b434f13b1384c
Link:
https://www.unpac.me/results/033c78a4-3e98-450f-95f8-31e05490bcdc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

RemoteManipulator

Excel file xls 1b7a05712f28b561e72a5e966690ecf41be1655f46cc250ab485d6fcd568b107

RemoteManipulator

Executable exe ed20ff85f5df587140e0780e16a5eb28df94e1b6330c8256de39d94b5a772e83

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011297/
  
Dropped by
SHA256 1b7a05712f28b561e72a5e966690ecf41be1655f46cc250ab485d6fcd568b107
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117197/

Comments