File name:

Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80

Full analysis: https://app.any.run/tasks/1acf8ebd-5057-46e8-9be3-b1ae1134b218
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 13:30:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

F3A4217A1D9283BA7C42C7FD358B3593

SHA1:

9C68535FA5856B3DDF1D092E65BF5FDA0110C5FE

SHA256:

CBA055715BD2EAFD3AA3B980A6401BC92C3AFB110D4785207533DB86BC73FE80

SSDEEP:

12288:31eur+yiTgkF444VAw7ge/Q4fR4kunYcWGcK4oZ+YpWVVVVVVVVVVVVVVVVVKL:RrdQ0BunO1oZVpv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • REMCOS has been detected (SURICATA)

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • REMCOS has been detected (YARA)

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • REMCOS has been detected

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • REMCOS mutex has been found

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

  • SUSPICIOUS

    • Connects to unusual port

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • There is functionality for taking screenshot (YARA)

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • Contacting a server suspected of hosting an CnC

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

  • INFO

    • Checks supported languages

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • Reads the machine GUID from the registry

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • Reads the computer name

      • Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe (PID: 5968)

    • Reads the software policy settings

      • slui.exe (PID: 1272)

    • Checks proxy server information

      • slui.exe (PID: 1272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(5968) Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
C2 (2)byamba.webredirect.org:54604
kabla.duckdns.org:54604
BotnetDUmebi
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-BWNALV
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:20 16:47:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 345088
InitializedDataSize: 134656
UninitializedDataSize: -
EntryPoint: 0x327a4
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #REMCOS sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1272C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5968"C:\Users\admin\Desktop\Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe" C:\Users\admin\Desktop\Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(5968) Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
C2 (2)byamba.webredirect.org:54604
kabla.duckdns.org:54604
BotnetDUmebi
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-BWNALV
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
Total events
3 767
Read events
3 765
Write events
2
Delete events
0

Modification events

(PID) Process:(5968) Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-BWNALV
Operation:writeName:exepath
Value:
C9DF7C4E5B19443F00985B3FB4569F2F7BCDA524885FBE752E337206E326187912C05C6878405A1288E5CC332789FBA29CF0ACBA31A482F9F31C653C037E6A7DFAA71190106FCB63422865E5C65B13C76015396124A29F71A1E8DA3044A1F0F784DA9F066CB091F7EB5E3ED26721FA591A53BA6CAAF8BF543EFFB8AF5A3976DB5599BA3D60E4D5EAE00C9ABC57A758F2DCD93797F421411D84F2049C82DDC454BBBBC03CBB2B5A10C984081BF3F2650A9FABA365422E8ABBD156A22E333B559062D2191910373B24A476
(PID) Process:(5968) Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-BWNALV
Operation:writeName:licence
Value:
E5A3968153255A067F037AFEA58ECEBE
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
57
DNS requests
26
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5256
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5968
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
45.134.142.4:54604
byamba.webredirect.org
Datacamp Limited
US
malicious
2104
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5968
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
185.157.163.21:54604
kabla.duckdns.org
SE
malicious
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
byamba.webredirect.org
  • 45.134.142.4
malicious
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.145
  • 23.48.23.156
  • 23.48.23.176
  • 23.48.23.159
  • 23.48.23.141
  • 23.48.23.143
  • 23.48.23.193
  • 23.48.23.147
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
kabla.duckdns.org
  • 185.157.163.21
malicious
login.live.com
  • 40.126.31.67
  • 20.190.159.128
  • 40.126.31.131
  • 20.190.159.130
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.webredirect .org Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
5968
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5968
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5968
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_cba055715bd2eafd3aa3b980a6401bc92c3afb110d4785207533db86bc73fe80