MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ImminentRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9
SHA3-384 hash: 640d4a72fd62016f97ab70e66f186ab9f527b7f6132c493704059cea6e3c0db6de4de7dcb065fc2cf456dcf28ffb5e84
SHA1 hash: e81731fba69da8f160b6ca378b866a32b6802545
MD5 hash: da42ca9550a5ce32c9fbdd96e86680b2
humanhash: undress-uniform-spring-london
File name:0646D2001E43EAC37C568AC4972998A50DFDF3068B299.exe
Download: download sample
Signature ImminentRAT
Create hunting rule
File size:1'166'336 bytes
First seen:2023-04-02 04:05:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 725f16679d82998f672dd0cf32ac5a08 (1 x ImminentRAT)
ssdeep 24576:GBx7bZDVyMQzuH/dwoILLOZ/OUIfHz1D75D2Xlvft4DRaaDp:OzyMqAdwooUWl6vO9aaDp
Threatray 1'150 similar samples on MalwareBazaar
TLSH T11D45D023B2B04833C1ABD6748D1B5B6DB92ABD243D34ED461FE53C785E35780386A693
TrID 40.4% (.EXE) InstallShield setup (43053/19/16)
13.3% (.EXE) Win32 Executable Delphi generic (14182/79/4)
12.3% (.SCR) Windows screen saver (13097/50/3)
9.8% (.EXE) Win64 Executable (generic) (10523/12/4)
9.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
Reporter abuse_ch
Tags:exe ImminentRAT


Avatar
abuse_ch
ImminentRAT C2:
http://www.mnbvcxzus.com/post.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0646D2001E43EAC37C568AC4972998A50DFDF3068B299.exe
Verdict:
No threats detected
Analysis date:
2023-04-02 04:06:29 UTC
Tags:
installer
Link:
https://app.any.run/tasks/aadbf0dd-73cb-42d9-99bb-f4fe9fa1666e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/379286/
Detection(s):
SecuriteInfo.com.Variant.Graftor.391982.8138.450.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76064/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit graftor keylogger lokibot packed remcos
Link:
https://www.filescan.io/uploads/6428ff2cc56b2da73aca5e5d/reports/c7ca416c-ba51-43bd-855e-2470cf1172b7/overview
Verdict:
Malicious
Labled as:
TSPY_FA.6C3AC733
Link:
https://www.hybrid-analysis.com/sample/0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/425fb7f7-bed8-4902-93c3-e85e11bdcf0a
Result
Threat name:
Agent Tesla, Imminent, AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1206488
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Contains functionality to detect sleep reduction / modifications
Contains functionality to start a terminal service
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Detected Agent Tesla keylogger
Detected Imminent RAT
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Generic Downloader
Yara detected Imminent
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 839404 Sample: 0646D2001E43EAC37C568AC4972... Startdate: 02/04/2023 Architecture: WINDOWS Score: 100 78 www.mnbvcxzus.com 2->78 80 elmalcorp.ufcfan.org 2->80 114 Snort IDS alert for network traffic 2->114 116 Malicious sample detected (through community Yara rule) 2->116 118 Antivirus detection for dropped file 2->118 120 12 other signatures 2->120 10 0646D2001E43EAC37C568AC4972998A50DFDF3068B299.exe 3 2->10         started        14 Windows.exe 2->14         started        16 WinDecode.exe 3 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 76 C:\Users\user\AppData\Local\Temp\tesp.exe, PE32 10->76 dropped 164 Detected unpacking (changes PE section rights) 10->164 166 Detected unpacking (creates a PE file in dynamic memory) 10->166 168 Detected unpacking (overwrites its own PE header) 10->168 184 2 other signatures 10->184 20 0646D2001E43EAC37C568AC4972998A50DFDF3068B299.exe 6 10->20         started        24 tesp.exe 1 5 10->24         started        170 Multi AV Scanner detection for dropped file 14->170 172 Maps a DLL or memory area into another process 14->172 26 Windows.exe 14->26         started        174 Antivirus detection for dropped file 16->174 176 May check the online IP address of the machine 16->176 178 Machine Learning detection for dropped file 16->178 180 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->180 28 WinDecode.exe 16->28         started        182 Injects a PE file into a foreign processes 18->182 31 WinDecode.exe 18->31         started        33 Windows.exe 18->33         started        signatures6 process7 dnsIp8 68 0646d2001e43eac37c...a50dfdf3068b299.exe, PE32 20->68 dropped 70 0646D2001E43EAC37C...FDF3068B299.exe.log, ASCII 20->70 dropped 144 Self deletion via cmd or bat file 20->144 146 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->146 35 0646d2001e43eac37c568ac4972998a50dfdf3068b299.exe 20->35         started        38 cmd.exe 1 20->38         started        72 C:\Users\user\AppData\...\WinDecode.exe, PE32 24->72 dropped 148 Antivirus detection for dropped file 24->148 150 Multi AV Scanner detection for dropped file 24->150 152 May check the online IP address of the machine 24->152 162 4 other signatures 24->162 40 tesp.exe 15 16 24->40         started        74 C:\Users\user\AppData\Local\...\windows.exe, PE32 26->74 dropped 43 windows.exe 26->43         started        45 cmd.exe 26->45         started        88 www.mnbvcxzus.com 28->88 90 checkip.dyndns.org 28->90 98 2 other IPs or domains 28->98 154 Installs a global keyboard hook 28->154 92 www.mnbvcxzus.com 31->92 94 checkip.dyndns.org 31->94 96 checkip.dyndns.com 31->96 156 Tries to steal Mail credentials (via file / registry access) 31->156 158 Tries to harvest and steal ftp login credentials 31->158 160 Tries to harvest and steal browser information (history, passwords, etc) 31->160 file9 signatures10 process11 dnsIp12 122 Antivirus detection for dropped file 35->122 124 Multi AV Scanner detection for dropped file 35->124 126 Detected unpacking (changes PE section rights) 35->126 128 Detected unpacking (creates a PE file in dynamic memory) 35->128 47 0646d2001e43eac37c568ac4972998a50dfdf3068b299.exe 14 35->47         started        130 Uses ping.exe to sleep 38->130 132 Uses ping.exe to check the status of other devices and networks 38->132 52 PING.EXE 1 38->52         started        54 conhost.exe 38->54         started        82 www.mnbvcxzus.com 75.2.18.233, 49700, 49701, 49702 AMAZON-02US United States 40->82 84 checkip.dyndns.org 40->84 86 2 other IPs or domains 40->86 134 Tries to steal Mail credentials (via file / registry access) 40->134 136 Installs a global keyboard hook 40->136 138 Detected unpacking (overwrites its own PE header) 43->138 140 Machine Learning detection for dropped file 43->140 142 Maps a DLL or memory area into another process 43->142 56 windows.exe 43->56         started        58 conhost.exe 45->58         started        60 PING.EXE 45->60         started        signatures13 process14 dnsIp15 100 elmalcorp.ufcfan.org 47->100 64 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 47->64 dropped 66 C:\Users\Windows.exe, PE32 47->66 dropped 104 Changes memory attributes in foreign processes to executable or writable 47->104 106 Creates multiple autostart registry keys 47->106 108 Writes to foreign memory regions 47->108 112 3 other signatures 47->112 62 hHiGAEaswWkfSrZgfXSindZscuVIu.exe 47->62 injected 102 1.1.1.1 CLOUDFLARENETUS Australia 52->102 110 Hides that the sample has been downloaded from the Internet (zone.identifier) 56->110 file16 signatures17 process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2023-04-01 00:28:00 UTC
File Type:
PE (Exe)
Extracted files:
266
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azdneaa6ipvmg7cwrlcjokmyuug734ygrmuzdzaekiek2tu7s7eq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
059b97d2db52813056ebdb7d6ea2ca90f9a7b10d4813b919b2ea78408a6e1508
ImminentRAT
3a573796b5e6f1cc3a92eef7e268fa4e74aeddf34f5dd62f7b02109fe560ecd2
ImminentRAT
661c658fee6ad38a71803820b9eeb55f8cc9fb905117d55002d4da85696a26d2
ImminentRAT
8a59fe8ca31ce4abde54d02705f65ed0d788e384e0d5c05441971f4d1fef5b34
ImminentRAT
a2cbf70ab3ebedd2c768816596fade8e94d1dd0d6025001ac59a71860e45b808
ImminentRAT
b14b1aee43f78548e382e6a5b5b59208f65f7c3a8e7aa1e3bdf7d8bea5217146
ImminentRAT
c424a21abb01f466b5a9e3ef4b29e33c3cd1419f69e0f8b0a7787bf40ab75271
ImminentRAT
+ 1'140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230402-en3wzaee79/
Unpacked files
SH256 hash:
51b19abb6dd6732ef0b832c85213f81bce6670cfe39b3081dfbe71f38137ea34
MD5 hash:
1f2a5b216eb31f96a7ec9d092bc09647
SHA1 hash:
c158396974b71e7c0dcfd6ecc2551dfc65be481d
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
MD5 hash:
0bd34aa29c7ea4181900797395a6da78
SHA1 hash:
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
Parent samples :
c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
e723709ebd1439aa76c850f99d7843b0125f5c8456a53ade128da884e650382e
ee5b17af1bea3ce53b9a6bb09c21f634b9465fe505a01177b9eb33943f3021d3
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550
SH256 hash:
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
MD5 hash:
17ed442e8485ac3f7dc5b3c089654a61
SHA1 hash:
d3a17c1fdd6d54951141053f88bf8238dea0b937
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
baee7f0669b4c46110039f2d69a18b2f739669c257c9def875baf266dde372ae
MD5 hash:
01f32ae791553f65aec629901beb0240
SHA1 hash:
cc7e9944911511005a683406c11203c8df76512c
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
c6667419deb02286af857d251bea7014ead2951551f2ef7249a815d9c877bb7f
MD5 hash:
27a5ec1c56493520fae76c45533d4a16
SHA1 hash:
a045275bbbcb1eae6bb5b200fe7d9a001d5114b8
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
18092c6800d0013c18005169231ab848bc419a8c315706f88549741bfac420a9
MD5 hash:
c043cb0d54f437add1840d6f05bb365e
SHA1 hash:
771dac4352158cdf59ca318d3e49ce03cf237a78
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
b1a2d7efd521e6f7e1eced2f99552f0a4a74b16573b49433f82d658cf78cbfba
MD5 hash:
28aa910cbdedc8ba083724be703bd8f9
SHA1 hash:
6e47dfa0d1b40ad7f7b4eefd62030a05447c8972
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
0245467395e61c0e873612f38705e47a4b72acaaf0a3ba02ee65b20470488825
MD5 hash:
f93937b67a4a89ef91e122ddd30bb35c
SHA1 hash:
639378443c4d21130eecd653b9e3b18d8116a10a
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
e3631d584fdc0ec55cd8d4903858563a33bf44b77f332c359faf59b694429c8c
MD5 hash:
3cc1a209e342b77ff3df40eabaa66abf
SHA1 hash:
43dee40f8f3b1abec1efd583da6de105fcc3fcf5
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
258d0cb2a52c3b30e5736f4ead573e26af5a2a37b63b3c80149635fefe539d34
MD5 hash:
6b91770f461b3f2de3e212b29670a114
SHA1 hash:
f4b1cad466f842a49f27cb2a40024ff9235c9a0a
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
4b8535f08b923c026a7a857550683a8a32c10698ea475e359202b61d9f65d82f
MD5 hash:
7a01514a8ea5d2d14b4b1b9ba38db90d
SHA1 hash:
ed8ae5d387a392b2ab826359abb180273ee2215a
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
52110a58315c94c7d893f6d29bc25fafe962cc259c3b58342f7432ef69df86a1
MD5 hash:
d0804b343f77efd50bf57ca7cf9178f0
SHA1 hash:
ae4cd02c861306a8c6100204330e33002b6f5cd7
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
7f1a1d40cdb5bcf7c8890df00f6d137a7b352da1660b5eb7b6f13f46fb2d76ad
MD5 hash:
d7ce6c07efb32d69181e8e3bf105fd1b
SHA1 hash:
6a011fe31d72e82253f9b7a7871746e47c48cd7f
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
4b52bf62917ccaec1b1ac42587278b59bb0af7667122abd6ae002745449a6b02
MD5 hash:
5ba7dcc44d357f2e496fdf503c735c21
SHA1 hash:
3872a0e6fed86b15ecf156161cd31883905b62db
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
SH256 hash:
0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9
MD5 hash:
da42ca9550a5ce32c9fbdd96e86680b2
SHA1 hash:
e81731fba69da8f160b6ca378b866a32b6802545
Link:
https://www.unpac.me/results/548b1cb2-81a7-4e69-bfef-bc29f2a046f0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/0646d2001e43eac37c568ac4972998a50dfdf3068b2991e4045208ad4e9f97c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:kevoreilly
Description:AgentTesla Payload
Rule name:agent_tesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379286/

Comments