PUP.RemoteAdmin
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 1,339 |
| Threat Level: | 10 % (Normal) |
| Infected Computers: | 38,599 |
| First Seen: | August 9, 2016 |
| Last Seen: | April 15, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
SpyHunter Detects & Remove PUP.RemoteAdmin
File System Details
PUP.RemoteAdmin may create the following file(s):
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | NETWork.exe | f36175806e9d0b21d95d36697d4017d9 | 32 |
| 2. | rutserv.exe | 4f40ef14a8143151764c3eb6c972398b | 9 |
| 3. | agent.exe | e0f4afe374d75608d604fbf108eac64f | 5 |
| 4. | YP.exe | 5d52ceb951384666ffb7a0b7e9b034fc | 4 |
| 5. | file.exe | 77f6d6693870fd19fc922d0c3a9b5b9b | 0 |
| 6. | r_server.exe | 24fc6bf84e755691ad9a9c033378bbf5 | 0 |
| 7. | 5961315 | 523057fbbe6c89336b9cb2b1c1b78d26 | 0 |
Registry Details
PUP.RemoteAdmin may create the following registry entry or registry entries:
Regexp file mask
%HOMEDRIVE%\Log\rfusclient.exe
%HOMEDRIVE%\rfusclient.exe
%HOMEDRIVE%\rutserv.exe
%PROGRAMFILES%\Java\rfusclient.exe
%PROGRAMFILES%\Java\rutserv.exe
%PROGRAMFILES%\Microsoft Games\rfusclient.exe
%PROGRAMFILES%\rtsd\rfusclient.exe
%PROGRAMFILES%\rtsd\rutserv.exe
%PROGRAMFILES%\System\rfusclient.exe
%PROGRAMFILES%\System\rutserv.exe
%PROGRAMFILES(x86)%\Java\rfusclient.exe
%PROGRAMFILES(x86)%\Java\rutserv.exe
%PROGRAMFILES(x86)%\System\rfusclient.exe
%PROGRAMFILES(x86)%\System\rutserv.exe
Directories
PUP.RemoteAdmin may create the following directory or directories:
| %ALLUSERSPROFILE%\CardWindows |
| %ALLUSERSPROFILE%\WindowsVolume |
| %APPDATA%\RMS-Agent |
| %Homedrive%\Remote Manipulator System |
| %PROGRAMFILES%\Remote Manipulator System - Host |
| %PROGRAMFILES%\Remote Manipulator System - Server |
| %PROGRAMFILES%\Remote Manipulator System - Viewer |
| %PROGRAMFILES%\Remote Utilities - Host |
| %PROGRAMFILES%\Remote Utilities - Server |
| %PROGRAMFILES%\Server |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Host |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Server |
| %PROGRAMFILES(x86)%\Remote Manipulator System - Viewer |
| %PROGRAMFILES(x86)%\Remote Utilities - Host |
| %PROGRAMFILES(x86)%\Remote Utilities - Server |
| %PROGRAMFILES(x86)%\Server |
| %Windir%\ehome\ASCON |
Analysis Report
General information
| Family Name: | PUP.RemoteAdmin |
|---|---|
| Signature status: | Root Not Trusted |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8b82b0cb9c1515ea617abfae5f75a40b
SHA1:
f3e1677f6405e9be96efbbc767809ff77e41d62c
SHA256:
3806A20239ECA00B8D8EB7ACA1C6BD109BCCBB8AEBD83C6EB1545D5DE62A57A7
File Size:
6.66 MB, 6663432 bytes
|
|
MD5:
040fbad8e414e9f83b1049e2d6d19660
SHA1:
fca4ff4dcd14c7fc67271104839ddf5286fb4c1b
SHA256:
A9BDF8AA304FA511AF4BD702E9A1E06487E0191061BE47AF47340CFEFDB09E80
File Size:
3.28 MB, 3282920 bytes
|
|
MD5:
94d70ffe5cbc3c34b9e33c1540d6e7ec
SHA1:
e1c33ab4ca2664940aac5453e8649f023220ee95
SHA256:
3D5112C10EE98939B32542233C8D6C35FA00C60F5C19CE043B8F8990E5983727
File Size:
57.02 KB, 57024 bytes
|
|
MD5:
5a9453bee75456e5e6befae40d93b0c5
SHA1:
b3ed58c889ee7fe36a7e53cc70da690e9c84801e
SHA256:
0CB065119B97A7CA77642E13F5794B9BABBA6C3D2B526868A0C93E49BC457099
File Size:
65.54 KB, 65536 bytes
|
|
MD5:
92892b7bc7b4270ff9499f442fa4f99e
SHA1:
3bcb725d5fa27e574a74eb269830805ee39960ea
SHA256:
08081F677D5E23E8054FCB14853AB7C949588C2201F5B6DF99B264B678AA95B4
File Size:
1.09 MB, 1093260 bytes
|
Show More
|
MD5:
4015ddd77c2f5e4220c0afd3d182a849
SHA1:
45bcea822de42b60bf5398fd2b3835a1b9dce7f5
SHA256:
883190C134A8D41DB91F88271F30734F138E479EF36B3C50432ECFFA07EE1F46
File Size:
57.34 KB, 57344 bytes
|
|
MD5:
ee3de36c062c5311f19bb816ce134f08
SHA1:
44db6ee669ef4536421129a5aca1da6bdcf1e9b5
SHA256:
5705DE7AAEDEFC6830866F2ED0433E589C1D9F2230678BC18942481054B4DA7C
File Size:
321.14 KB, 321144 bytes
|
|
MD5:
a20c429550987040a5bb11ef07cdcc54
SHA1:
3e05224ea4090da2d109472ec0631003611c3bfd
SHA256:
9235E28A55722D8DDE2FEE5764487FD4BD1B2B7C7327FC56B221ECCDD03BAC62
File Size:
947.71 KB, 947712 bytes
|
|
MD5:
8b6686d16805880c582130ca3fbf0be0
SHA1:
847903c75bfa0c61df2e950550b7d301e2907f87
SHA256:
93CBF88A4A8E84C0C7B0A9250CE424987BBAE55BFC06B59DE78D25A6481580BC
File Size:
2.94 MB, 2940640 bytes
|
|
MD5:
afc24ceb743fb55f9ae4518e05eeea22
SHA1:
e7d9f51b8baf2e697e3ad9bedc5bbbcf62873ea1
SHA256:
8E68824823D78CC7615A567FCF6449F62D4CF98C10DA02C69BA27A2E48C65CC6
File Size:
1.38 MB, 1377792 bytes
|
|
MD5:
34944acd0923b660220f9c7e6b769f5e
SHA1:
ba39e0469aedfc9acd2b80a76d6c957a9dab19c9
SHA256:
D01B17B5B06C1D225251EB3F655FEF4949E22AE6C02C3BC1D74213A9F3195A3C
File Size:
2.51 MB, 2507480 bytes
|
|
MD5:
dae358ff83b01740f72a9a5b6c340c30
SHA1:
182698d9a922a7240e54bd03ae8e83f3a535a83f
SHA256:
C097D856C11AE9D60D93B4EC7990156F14D181F1080EAF192C073746AC2E5DFC
File Size:
325.75 KB, 325752 bytes
|
|
MD5:
3c51dbad937bd1dd7d3d642b5ada52bd
SHA1:
d9fd1fe9c380c6d136a7be6c1bc08bd37caffd99
SHA256:
D205CC374641F1ED4F647F792E26B62E7DF8C3F5745E50F3652138F7B8373DE8
File Size:
325.75 KB, 325752 bytes
|
|
MD5:
ee9494ee88213b4af38c7d7bd4d5ca4b
SHA1:
a9c7448b407bf51255c1a0dad1eb5d3a9f2db62f
SHA256:
3E5E6F748D2198586CA8C6465B78D3B0A8722B008386974BAABD518CE4340285
File Size:
2.51 MB, 2507480 bytes
|
|
MD5:
b0dfa01dc67a1da187e0048ee26fb7ec
SHA1:
65370a113992a5c9b239c6ddcbfdf56208461723
SHA256:
6C98C79224BCD76254E74860B58C7A06F54577FDB6945B014E7C742D9CA8DEF3
File Size:
931.93 KB, 931928 bytes
|
|
MD5:
b3e563677cdeb04282a67983183dd939
SHA1:
b5203c8200531683ef221a87baf67ffd69e037e1
SHA256:
5A70A053A29F4C85A12F0F47E32279B8C4F54F12F32751FE4BEDDA7C3217433F
File Size:
2.51 MB, 2507480 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 32-bit executable
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
Show More
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Build Number |
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks | Radmin, Remote Administrator |
| Original Filename |
|
| Private Build | V14.10 |
| Product Name |
|
| Product Version |
|
| Program I D | ru.rmansys.SfxExtractor |
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Famatech International Corp. | Class 3 Public Primary Certification Authority | Root Not Trusted |
| DATEV.it SRL | DigiCert Trusted Root G4 | Root Not Trusted |
| IP Ter-Osipov Aleksey Vladimirovich | GlobalSign Code Signing Root R45 | Root Not Trusted |
| Famatech Corp. | Symantec Class 3 SHA256 Code Signing CA | Hash Mismatch |
| Famatech Corp. | VeriSign Class 3 Code Signing 2010 CA | Hash Mismatch |
Show More
| Famatech Corp. | VeriSign Class 3 Public Primary Certification Authority - G5 | Hash Mismatch |
File Traits
- 2+ executable sections
- HighEntropy
- Installer Manifest
- Installer Version
- x86
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 1,606 |
|---|---|
| Potentially Malicious Blocks: | 29 |
| Whitelisted Blocks: | 1,577 |
| Unknown Blocks: | 0 |
Visual Map
x
x
2
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
3
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
1
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
0
0
1
1
1
1
2
0
x
x
0
0
0
0
0
x
x
0
1
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
1
1
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
2
2
0
3
1
1
0
0
1
0
0
0
0
0
0
x
x
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
3
0
0
1
0
1
0
0
0
0
0
0
1
0
0
0
0
0
1
1
0
0
1
0
0
0
2
2
1
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
1
1
0
0
1
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
2
x
x
0
0
x
0
0
0
0
0
x
0
0
x
0
0
0
0
0
x
0
0
0
0
0
0
x
x
0
0
x
x
x
0
0
x
x
0
x
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
x
0
x
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
2
3
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
2
2
0
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2
2
0
1
1
1
0
0
1
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.AVC
- Agent.M
- Agent.MAC
- Agent.OFE
- BadJoke.JB
Show More
- BadJoke.XA
- BadJoke.XAB
- BadJoke.XAE
- Filecoder.GYT
- Filecoder.VBC
- MeshAgent.A
- Trojan.Downloader.Gen.NL
- Trojan.Filecoder.Gen.AG
- Vidar.FA
Registry Modifications
Registry Modifications
This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.| Key::Value | Data | API Name |
|---|---|---|
| HKLM\system\controlset001\services\eventlog\application\screenconnect::eventmessagefile | C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll | RegNtPreCreateKey |
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| Service Control |
|
| Process Shell Execute |
|
| Other Suspicious |
|
| User Data Access |
|
| Anti Debug |
|
| Encryption Used |
|
Shell Command Execution
Shell Command Execution
This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.
open RServer3.exe
|
