MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemoteManipulator


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911
SHA3-384 hash: 87d26f8b326cbddcbd2f88029f832242c2ae3df2edc4462230a59b8a6a6771579ebb52567fed4934edd2be3ad21b41d5
SHA1 hash: ed33ba6de8beb198f61a7f629828378eb90426c2
MD5 hash: 7f4ee2df4db93ba993748531ae3fa241
humanhash: zulu-victor-nuts-sixteen
File name:7f4ee2df4db93ba993748531ae3fa241.exe
Download: download sample
Signature RemoteManipulator
Create hunting rule
File size:6'255'348 bytes
First seen:2022-08-18 04:21:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b8494300a1f7342d4c600a7b12e15925 (3 x RedLineStealer, 3 x RemoteManipulator, 1 x njrat)
ssdeep 98304:TXz+SO1rRfq9vaAA6eGeZ4FnEW1wjEdGUhQq4Cu/XjB3PcwSbBT6TTCSYG7rw1Ol:jKSO/fq9yAA6ektHqjWGUnUfcTBOTTCo
TLSH T18B563365E5829B3AC290163C9C0F577C7475BE80683E084ABFF9D39CCA77A4E9364621
TrID 86.6% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
5.6% (.EXE) InstallShield setup (43053/19/16)
1.8% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.7% (.SCR) Windows screen saver (13101/52/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter abuse_ch
Tags:exe RemoteManipulator


Avatar
abuse_ch
RemoteManipulator C2:
80.89.239.149:5655

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
80.89.239.149:5655 https://threatfox.abuse.ch/ioc/843916/

Intelligence

File Origin
# of uploads :
1
# of downloads :
293
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
rms
Create hunting rule
ID:
1
File name:
officedeploymenttool_15330-20230.exe
Verdict:
Malicious activity
Analysis date:
2022-08-02 01:53:17 UTC
Tags:
installer loader rat rms
Link:
https://app.any.run/tasks/6c97aca0-c364-49db-bd12-c068264fd3e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299455/
Detection(s):
SecuriteInfo.com.Filecoder.I.dropper.22548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a service
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file
Modifying a system file
Running batch commands
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Launching a process
Creating a process from a recently created file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29352/overview
Behaviour
MalwareBazaar
CPUID_Instruction
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
fingerprint greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fdbe7aeb0bf1e2c6e68230/reports/e3e9fc6a-7c5a-43d3-b7e6-3d7f22dca53c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Devil Shadow
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1463bbf8-dad2-456c-94ed-906f361ddc84
Result
Threat name:
RMSRemoteAdmin, xRAT, DanaBot
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1053532
Signature
Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Detected xRAT
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected DanaBot stealer dll
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 686049 Sample: 30UGcNfHho.exe Startdate: 18/08/2022 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 4 other signatures 2->51 8 30UGcNfHho.exe 16 17 2->8         started        11 rutserv.exe 2->11         started        13 rutserv.exe 2->13         started        process3 file4 29 C:\ProgramData\Immunity\rutserv.exe, PE32 8->29 dropped 31 C:\Users\user\AppData\Local\...\temp_0.tmp, Microsoft 8->31 dropped 33 C:\ProgramData\...\webmvorbisencoder.dll, PE32 8->33 dropped 35 7 other files (none is malicious) 8->35 dropped 15 cmd.exe 1 8->15         started        process5 process6 17 rutserv.exe 2 15->17         started        20 taskkill.exe 1 15->20         started        22 taskkill.exe 1 15->22         started        24 32 other processes 15->24 signatures7 41 Detected unpacking (overwrites its own PE header) 17->41 43 Machine Learning detection for dropped file 17->43 26 rutserv.exe 8 15 17->26         started        process8 dnsIp9 37 80.89.239.149, 49711, 49724, 5655 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 26->37 39 192.168.2.1 unknown unknown 26->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-08-01 07:52:08 UTC
File Type:
PE (Exe)
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77nhpwzg4wpsvcuodw3wcw4u5upiwlazw37ytqbjl7z2orbxreiq._file
Verdict:
malicious
Result
Malware family:
rms
Create hunting rule
Score:
  10/10
Tags:
family:rms discovery persistence rat trojan
Link:
https://tria.ge/reports/220818-ey8j7sccb5/
Behaviour
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
RMS
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
00a959b491fb1dacf29bcb0fd926b7d7adc5aa9217ce5294dd0cf102ece863ad
MD5 hash:
60a6e9137f319fa10f84e02a27df74bc
SHA1 hash:
e97fbf33733af30c1678236658a4c955a7ead61c
Detections:
win_rms_a0
Create hunting rule
win_rms_auto
Create hunting rule
Link:
https://www.unpac.me/results/a7c4a7a9-346e-443d-8004-b48674114b8c/
SH256 hash:
e4cd3b087f418870fba6078980287f059e58b1690158c090d0674d0c125b9773
MD5 hash:
c73a9b08e3c72b3971e13dbbb8b4dca1
SHA1 hash:
6ff934d0bdb0614e94f4f8ac33b997b3ea15917e
Link:
https://www.unpac.me/results/a7c4a7a9-346e-443d-8004-b48674114b8c/
SH256 hash:
fabb908cf7cf3811cf72195213273988f07c6e0b0d6004e30318cedf5006a497
MD5 hash:
633f2c8eb9c8e958f0662c33ee7022cc
SHA1 hash:
443b14bb6dbf09a4fccc787eba5ea52b5c2b1dd3
Link:
https://www.unpac.me/results/a7c4a7a9-346e-443d-8004-b48674114b8c/
SH256 hash:
ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911
MD5 hash:
7f4ee2df4db93ba993748531ae3fa241
SHA1 hash:
ed33ba6de8beb198f61a7f629828378eb90426c2
Link:
https://www.unpac.me/results/a7c4a7a9-346e-443d-8004-b48674114b8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffda77db26e59f2a8a8e1db7615b94ed1e8b2c19b6ff89c0295ff3a744378911

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299455/

Comments