MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AceRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f
SHA3-384 hash: 1171a91fef587f0af969541613a3c47490da52da86d5b0b3b6a15aff59c6204db7f331602919fe097cce1eda5e76ca9a
SHA1 hash: e48f6b38215a9b26a31901c67d93da244ad1a546
MD5 hash: c57cea8db447cb9bec608f939026bd86
humanhash: bulldog-gee-zulu-princess
File name:Proforma.exe
Download: download sample
Signature AceRAT
Create hunting rule
File size:4'608 bytes
First seen:2021-06-17 06:18:45 UTC
Last seen:2021-06-17 06:48:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 48:6ewmoblyvSphn0i8GJYYSlao7jhdVZZjnR2dmzuulUo+hFnqXSfbNtm:3vvgh0Tj793jR2yCokFZzNt
Threatray 26 similar samples on MalwareBazaar
TLSH 72916301A3DC8626D2AA47742AF7431123F6FA108A33839E78D8565EBD227644913FF6
Reporter abuse_ch
Tags:AceRAT exe RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-17 06:19:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59419eea-1b88-4f8e-b6af-68fc5c90c1e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166489/
Detection(s):
SecuriteInfo.com.ArtemisC57CEA8DB447.423.4965.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e92777d-32ae-4258-899e-efa078498112
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803515
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Add file from suspicious location to autostart registry
Sigma detected: Koadic Execution
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435926 Sample: Proforma.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 68 f0398143.xsph.ru 2->68 84 Antivirus / Scanner detection for submitted sample 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 3 other signatures 2->90 11 Proforma.exe 14 5 2->11         started        16 tg.exe 501 2->16         started        18 tg.exe 501 2->18         started        signatures3 process4 dnsIp5 74 transfer.sh 144.76.136.153, 443, 49730 HETZNER-ASDE Germany 11->74 76 192.168.2.1 unknown unknown 11->76 56 C:\Users\user\AppData\Local\Temp\tg.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\...\Proforma.exe.log, ASCII 11->58 dropped 96 Detected unpacking (overwrites its own PE header) 11->96 20 cmd.exe 1 11->20         started        23 cmd.exe 1 11->23         started        26 tg.exe 16->26         started        28 tg.exe 18->28         started        file6 signatures7 process8 dnsIp9 94 Uses ping.exe to check the status of other devices and networks 20->94 30 tg.exe 501 20->30         started        33 conhost.exe 20->33         started        70 127.0.0.1 unknown unknown 23->70 35 conhost.exe 23->35         started        37 PING.EXE 1 23->37         started        39 chcp.com 1 23->39         started        72 f0398143.xsph.ru 26->72 41 cmd.exe 26->41         started        signatures10 process11 signatures12 98 Performs DNS queries to domains with low reputation 30->98 43 tg.exe 19 30->43         started        47 conhost.exe 41->47         started        process13 dnsIp14 78 aceremote.xyz 185.100.84.208, 443, 49750 FLOKINETSC Romania 43->78 80 f0398143.xsph.ru 141.8.197.42, 49748, 80 SPRINTHOSTRU Russian Federation 43->80 82 2 other IPs or domains 43->82 60 C:\Users\user\...\svhost.exe8i_q0ulv.tmp, PE32 43->60 dropped 62 C:\Users\user\...\stepdate.exe0ipg6g1e.tmp, PE32 43->62 dropped 64 C:\Users\user\...\nipcm.exe94798fzz.tmp, PE32 43->64 dropped 66 3 other files (2 malicious) 43->66 dropped 49 cmd.exe 1 43->49         started        file15 process16 process17 51 reg.exe 1 1 49->51         started        54 conhost.exe 49->54         started        signatures18 92 Creates autostart registry keys with suspicious names 51->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f/
Threat name:
ByteCode-MSIL.Exploit.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-06-17 05:47:43 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yzxjonug5zwroyn6e6a2t4t7b6gyd6wu3mei3a3l5p3akxf2de7q._file
Verdict:
malicious
Similar samples:
3751d569cdedc2379d349efd11f829abda1802c723ee6e638fab1e9396e19798
AceRAT
4f962ebfce324a7e787f683c25c432206b2418df6fdce533e9c373ee074bf155
AceRAT
75830575168e1d024a8d0c86764cb9b88eea3c79f0c4a24fb39d4e94fd2c42d7
AceRAT
8dc94d486fd546ffbf8f21252aba65efe18432a6cae815e02b8be4ce4449291a
AceRAT
b3ac6519ed465d75e4b6af4311def3c3d40ca5c0465cdbb13837b1aa97e848ce
AceRAT
beab989e0ac939662e7ba17a7f750f5955eae1c412b7fc113ae66ba4adbb08eb
AceRAT
c48e509f7139d0ee5a09d1807e73783e0948741c6f90f1dbc8096318e7d6dd3a
AceRAT
c583fe59628fa5aa1146213fd49234db4509dc5cc451861c9b3a314b52d9a3e7
AceRAT
e924821860bcee2dd1acc0239f6413cd6a677213b640942d271ea12446fc65aa
AceRAT
fe92444d5cb5bbd5c1b55d90a4eb2aca6a7a6a25f06051160be86c80e35e92f9
AceRAT
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence pyinstaller
Link:
https://tria.ge/reports/210617-9mrsv444q2/
Behaviour
Modifies registry key
Modifies system certificate store
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Adds Run key to start application
Deletes itself
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
59184a3e3c22344ad6aa7601736a12871db02706f6ddeb783fd9fb9f0ebffaad
MD5 hash:
8104aabd18c72972f6f2a7f2c154313c
SHA1 hash:
930ee6d3a64d175193b6d3b731ed04899cefc261
Link:
https://www.unpac.me/results/b480e823-404f-463a-940e-3d40e29220fd/
SH256 hash:
c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f
MD5 hash:
c57cea8db447cb9bec608f939026bd86
SHA1 hash:
e48f6b38215a9b26a31901c67d93da244ad1a546
Link:
https://www.unpac.me/results/b480e823-404f-463a-940e-3d40e29220fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AceRAT

Executable exe c66e973686ee6d1761be2781a9f27f0f8d81fad4db088d836bebf6055cba193f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/166489/

Comments