MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a
SHA3-384 hash: 484eb1868d2e069ff0149d3c44d608c1da652e99d37e2f85216a8c4476f4c5893ceb264eebfe5b12fcdb396a7775ac5d
SHA1 hash: 7579ca56e549f57d558de90ac255e13d693ab9da
MD5 hash: dfff3efb5cb31f71c9f23944d8d8dbd2
humanhash: florida-double-glucose-autumn
File name:msi.msi
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:11'901'952 bytes
First seen:2021-09-19 10:44:15 UTC
Last seen:2021-09-19 12:10:21 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:aJC9RH7qwA5x6uo0kLzJzZyLQVsmNR3wvpxX1JG9yjSkMJc2we0:8+Ql5x6sk/JzZy+N81FTMJc2L
Threatray 48 similar samples on MalwareBazaar
TLSH T125C612C2F760052AE99F077296F79E1C593AEDBC9B60234F5CE0730924B3892197B587
Reporter Arkbird_SOLG
Tags:DarkOxide msi RemoteManipulator

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189048/
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RMSRemoteAdmin Remote Utilities
Create hunting rule
Detection:
suspicious
Classification:
troj.spyw.evad
Score:
36 / 100
Link:
https://www.joesandbox.com/analysis/853469
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Detected Remote Utilities RAT
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a/
Threat name:
Win32.Trojan.RemoteUtilities
Create hunting rule
Status:
Malicious
First seen:
2020-01-18 05:24:44 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gfrln6zkudbaqk4kuqc2bt4bk3nlhcq4vowukm5oet6vvxwcuna._file
Verdict:
malicious
Similar samples:
19d1d20f580914efbf1f300e65ee1f9e6ff771fc3d061a5549443ffcf77f252a
RemoteManipulator
1dd15c830c0a159b53ed21b8c2ce1b7e8093256368d7b96c1347c6851ee6c4f6
RemoteManipulator
31e0d8d290cef40450e8afb88a58749155645f4f702bdec51a81290d0230de09
RemoteManipulator
380a0d5b3d5ae9eb9a53cf5bb4fe1737de62020e4f0ec5f56ee601bf8a884d1b
RemoteManipulator
48c19ad7436f3d311e9e63327801d0a2d6d25c0d7c7bbc3d2c6a32afb95a0187
RemoteManipulator
49fbf9884299fbc6b09e640449fdc834f82a752908d381a68e2057a9861e3618
RemoteManipulator
6984fbcdc07aa5d975b4f6742888e3185d6091440b0b76bce13ca81d2a7f931e
RemoteManipulator
6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6
RemoteManipulator
c8ebec4136a41a11aa96976ce1b5d4b01785ff3ac94b781550cc2e11984c7a2c
RemoteManipulator
+ 38 additional samples on MalwareBazaar
Result
Malware family:
rurat
Create hunting rule
Score:
  10/10
Tags:
family:rurat backdoor trojan
Link:
https://tria.ge/reports/210919-mteekabhe5/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
RuRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

RemoteManipulator

Executable exe 6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6

RemoteManipulator

Microsoft Software Installer (MSI) msi f98b15b7d9550610415c55202d067c0ab6d59c50e55d6a299d7127ead6f6151a

(this sample)

  
Dropped by
SHA256 6d1480cd5b10739af130850f9d9bfa7ebe50024c5db68dd231bc7e4bd560ffa6
Cape
Cape
https://www.capesandbox.com/analysis/189048/

Comments