MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ImminentRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef
SHA3-384 hash: 10b48260572ae8f218c4de1aaa4467c4520a30ff4cbf19e47b80d95b6d19b925c34d7593ff7d04555ea0d2ea62fd619c
SHA1 hash: d4ac00d9aee072b6d1499e730cf9bcb27ad957ad
MD5 hash: 8abebde631005ae15aba91eb8f36fbe7
humanhash: east-quiet-lemon-carolina
File name:8abebde631005ae15aba91eb8f36fbe7.exe
Download: download sample
Signature ImminentRAT
Create hunting rule
File size:1'007'104 bytes
First seen:2022-07-12 05:00:28 UTC
Last seen:2022-07-14 06:30:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:fFSTU2SeKzWAu7oipDkunb2iXWwy8UdJCnDasNai:fFSTU2aI8qkuniiX9yjJMa
TLSH T1022502266F14CB67D51D0B7C49B707502778823A8602FF8E4BF0942D2DA73D1AE16EDA
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 18a219d4d4198a10 (20 x AgentTesla, 12 x Formbook, 10 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe ImminentRAT


Avatar
abuse_ch
ImminentRAT C2:
172.245.163.161:9003

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.245.163.161:9003 https://threatfox.abuse.ch/ioc/827494/

Intelligence

File Origin
# of uploads :
2
# of downloads :
343
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
imminent
Create hunting rule
ID:
1
File name:
8abebde631005ae15aba91eb8f36fbe7.exe
Verdict:
Malicious activity
Analysis date:
2022-07-12 05:02:29 UTC
Tags:
trojan rat imminent
Link:
https://app.any.run/tasks/e6fd88fb-95b3-4809-b412-000b710086f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Imminent
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286428/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/62cd0010a496df53c252c464/reports/7e1dfac6-e5ac-4d70-b122-11cfb9c25fe9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Boilod
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfc827d7-f5e4-4e5d-abf1-53acc45a4013
Result
Threat name:
Imminent
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1029144
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Detected Imminent RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Imminent
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661639 Sample: n9ewpLWCmh.exe Startdate: 12/07/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Detected Imminent RAT 2->49 51 9 other signatures 2->51 7 n9ewpLWCmh.exe 23 2->7         started        process3 file4 29 C:\Users\user\AppData\Roaming\uppEqmN.exe, PE32 7->29 dropped 31 C:\Users\user\...\uppEqmN.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\...\v0cubxti.newcfg, XML 7->33 dropped 35 8 other malicious files 7->35 dropped 55 May check the online IP address of the machine 7->55 57 Uses schtasks.exe or at.exe to add and modify task schedules 7->57 59 Adds a directory exclusion to Windows Defender 7->59 61 Injects a PE file into a foreign processes 7->61 11 n9ewpLWCmh.exe 16 7 7->11         started        15 WerFault.exe 7->15         started        18 powershell.exe 23 7->18         started        20 2 other processes 7->20 signatures5 process6 dnsIp7 39 172.245.163.161, 49737, 49739, 49748 SERVER-MANIACA United States 11->39 41 www.iptrackeronline.com 104.26.1.222, 443, 49754, 49755 CLOUDFLARENETUS United States 11->41 43 192.168.2.1 unknown unknown 11->43 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->63 22 Taskmgr.exe 11->22         started        37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->37 dropped 25 conhost.exe 18->25         started        27 conhost.exe 20->27         started        file8 signatures9 process10 signatures11 53 Query firmware table information (likely to detect VMs) 22->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 05:01:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fztoepi25afvn36cyof7lln3ghnlsg4bd2vnzzupkrhammr5klxq._file
Verdict:
malicious
Result
Malware family:
imminent
Create hunting rule
Score:
  10/10
Tags:
family:imminent spyware trojan
Link:
https://tria.ge/reports/220712-fnjnrscbak/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Imminent RAT
Unpacked files
SH256 hash:
b13976488d58387b5d72b6ab3acd505641bb8661d7fd83827e71db364a6ff4b6
MD5 hash:
4e2b3ad4ec086892c344d746ad07b82f
SHA1 hash:
c21cf8677bb58062c7bf756e1097163f7b5262e1
Link:
https://www.unpac.me/results/f5bcc706-01e4-4dc8-aee4-9c502d28c28f/
SH256 hash:
9406e906b131b325d35d3d8feef2d529e9605816592dbb87fba1eba51e79418d
MD5 hash:
d8cdb1949f4af468c37f4e29afa53083
SHA1 hash:
c4c3d39195c40eebe42254431fb2fa25bde39168
Detections:
win_blackshades_w0
Create hunting rule
Link:
https://www.unpac.me/results/f5bcc706-01e4-4dc8-aee4-9c502d28c28f/
SH256 hash:
2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef
MD5 hash:
8abebde631005ae15aba91eb8f36fbe7
SHA1 hash:
d4ac00d9aee072b6d1499e730cf9bcb27ad957ad
Link:
https://www.unpac.me/results/f5bcc706-01e4-4dc8-aee4-9c502d28c28f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2e66e23d1ae8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ImminentRAT

Executable exe 2e66e23d1ae80b56efc2c38bf5adbb31dab91b811eaadce68f544e06323d52ef

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2256261/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286428/

Comments