PUP.RemoteAdmin
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 840 |
| Threat Level: | 10 % (Normal) |
| Infected Computers: | 38,183 |
| First Seen: | August 9, 2016 |
| Last Seen: | December 2, 2025 |
| OS(es) Affected: | Windows |
Table of Contents
SpyHunter Detects & Remove PUP.RemoteAdmin
File System Details
PUP.RemoteAdmin may create the following file(s):
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | NETWork.exe | f36175806e9d0b21d95d36697d4017d9 | 32 |
| 2. | rutserv.exe | 4f40ef14a8143151764c3eb6c972398b | 9 |
| 3. | agent.exe | e0f4afe374d75608d604fbf108eac64f | 5 |
| 4. | YP.exe | 5d52ceb951384666ffb7a0b7e9b034fc | 4 |
| 5. | file.exe | 77f6d6693870fd19fc922d0c3a9b5b9b | 0 |
| 6. | r_server.exe | 24fc6bf84e755691ad9a9c033378bbf5 | 0 |
| 7. | 5961315 | 523057fbbe6c89336b9cb2b1c1b78d26 | 0 |
Registry Details
PUP.RemoteAdmin may create the following registry entry or registry entries:
Regexp file mask
%HOMEDRIVE%\Log\rfusclient.exe
%HOMEDRIVE%\rfusclient.exe
%HOMEDRIVE%\rutserv.exe
%PROGRAMFILES%\Java\rfusclient.exe
%PROGRAMFILES%\Java\rutserv.exe
%PROGRAMFILES%\Microsoft Games\rfusclient.exe
%PROGRAMFILES%\rtsd\rfusclient.exe
%PROGRAMFILES%\rtsd\rutserv.exe
%PROGRAMFILES%\System\rfusclient.exe
%PROGRAMFILES%\System\rutserv.exe
%PROGRAMFILES(x86)%\Java\rfusclient.exe
%PROGRAMFILES(x86)%\Java\rutserv.exe
%PROGRAMFILES(x86)%\System\rfusclient.exe
%PROGRAMFILES(x86)%\System\rutserv.exe
Directories
PUP.RemoteAdmin may create the following directory or directories:
| %ALLUSERSPROFILE%\CardWindows |
| %ALLUSERSPROFILE%\WindowsVolume |
| %APPDATA%\RMS-Agent |
| %Homedrive%\Remote Manipulator System |
| %PROGRAMFILES%\Remote Manipulator System - Host |
| %PROGRAMFILES%\Remote Manipulator System - Server |
| %PROGRAMFILES%\Remote Manipulator System - Viewer |
| %PROGRAMFILES%\Remote Utilities - Host |
| %PROGRAMFILES%\Remote Utilities - Server |
| %PROGRAMFILES%\Remote Utilities - Viewer |
| %PROGRAMFILES%\Server |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Host |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Server |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Viewer |
| %PROGRAMFILES(x86)%\Remote Utilities - Host |
| %PROGRAMFILES(x86)%\Remote Utilities - Server |
| %PROGRAMFILES(x86)%\Server |
| %Windir%\ehome\ASCON |
Analysis Report
General information
| Family Name: | PUP.RemoteAdmin |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8b82b0cb9c1515ea617abfae5f75a40b
SHA1:
f3e1677f6405e9be96efbbc767809ff77e41d62c
SHA256:
3806A20239ECA00B8D8EB7ACA1C6BD109BCCBB8AEBD83C6EB1545D5DE62A57A7
File Size:
6.66 MB, 6663432 bytes
|
|
MD5:
040fbad8e414e9f83b1049e2d6d19660
SHA1:
fca4ff4dcd14c7fc67271104839ddf5286fb4c1b
SHA256:
A9BDF8AA304FA511AF4BD702E9A1E06487E0191061BE47AF47340CFEFDB09E80
File Size:
3.28 MB, 3282920 bytes
|
|
MD5:
94d70ffe5cbc3c34b9e33c1540d6e7ec
SHA1:
e1c33ab4ca2664940aac5453e8649f023220ee95
SHA256:
3D5112C10EE98939B32542233C8D6C35FA00C60F5C19CE043B8F8990E5983727
File Size:
57.02 KB, 57024 bytes
|
|
MD5:
5a9453bee75456e5e6befae40d93b0c5
SHA1:
b3ed58c889ee7fe36a7e53cc70da690e9c84801e
SHA256:
0CB065119B97A7CA77642E13F5794B9BABBA6C3D2B526868A0C93E49BC457099
File Size:
65.54 KB, 65536 bytes
|
|
MD5:
92892b7bc7b4270ff9499f442fa4f99e
SHA1:
3bcb725d5fa27e574a74eb269830805ee39960ea
SHA256:
08081F677D5E23E8054FCB14853AB7C949588C2201F5B6DF99B264B678AA95B4
File Size:
1.09 MB, 1093260 bytes
|
Show More
|
MD5:
4015ddd77c2f5e4220c0afd3d182a849
SHA1:
45bcea822de42b60bf5398fd2b3835a1b9dce7f5
SHA256:
883190C134A8D41DB91F88271F30734F138E479EF36B3C50432ECFFA07EE1F46
File Size:
57.34 KB, 57344 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments | Radmin - Remote Control Server |
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Build Number | 182945 |
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks | Radmin, Remote Administrator |
| Original Filename |
|
| Product Name |
|
| Product Version |
|
| Program I D | ru.rmansys.SfxExtractor |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| IP Ter-Osipov Aleksey Vladimirovich | GlobalSign Code Signing Root R45 | Root Not Trusted |
| Famatech Corp. | Symantec Class 3 SHA256 Code Signing CA | Hash Mismatch |
| Famatech Corp. | VeriSign Class 3 Code Signing 2010 CA | Hash Mismatch |
| Famatech Corp. | VeriSign Class 3 Public Primary Certification Authority - G5 | Hash Mismatch |
File Traits
- 2+ executable sections
- HighEntropy
- Installer Manifest
- Installer Version
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 80 |
|---|---|
| Potentially Malicious Blocks: | 0 |
| Whitelisted Blocks: | 80 |
| Unknown Blocks: | 0 |
Visual Map
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.OFE
- MeshAgent.A
- Vidar.FA
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Service Control |
|
| Process Shell Execute |
|
| Other Suspicious |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
open RServer3.exe
|
