MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ImminentRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f
SHA3-384 hash: cadbe727825108a4729268db185903363cdfd68a50f185bfcfbf8938db43104c75199bb7906fe0570125cfbd9e87f020
SHA1 hash: 9028382c262476b45a2ad510b47aa29989564017
MD5 hash: e3424021b3602af8dabe14f09f8eff9b
humanhash: west-three-lion-arizona
File name:UNAUTHORIZED SWAP.pdf.exe
Download: download sample
Signature ImminentRAT
Create hunting rule
File size:736'768 bytes
First seen:2020-12-09 10:44:32 UTC
Last seen:2020-12-09 13:02:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KG0cSw8T2uYQ5F3OAhRa92zuV0S8/32bJQy22UMKN1gJRIRfNMu0cSw:kcSwFuF5l7AWugEE2caIpx0cSw
Threatray 26 similar samples on MalwareBazaar
TLSH 34F4E0326101BE62D97D0BF4917074040FAC6F276124E65DBD89B1EB26BF3607A81E6F
Reporter abuse_ch
Tags:exe ImminentRAT RAT


Avatar
abuse_ch
Malspam distributing ImminentRAT:

HELO: vps41306.inmotionhosting.com
Sending IP: 104.152.109.9
From: Elizabeth Fagoroyo [ MTN Nigeria - S&D ] <elizabeth.fagoroyo@mtn.com>
Subject: UNAUTHORIZED SWAP
Attachment: UNAUTHORIZED SWAP.rar (contains "UNAUTHORIZED SWAP.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UNAUTHORIZED SWAP.pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-09 11:19:31 UTC
Tags:
rat imminent trojan
Link:
https://app.any.run/tasks/93583c77-b42f-440a-9b70-37f760518466

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107437/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Stealer.21240.29248.21640.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
DNS request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
Imminent AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/558907
Signature
.NET source code contains potential unpacker
Detected Imminent RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected Imminent
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328551 Sample: UNAUTHORIZED  SWAP.pdf.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 14 other signatures 2->64 7 UNAUTHORIZED  SWAP.pdf.exe 6 2->7         started        11 Server.exe 5 2->11         started        13 Server.exe 4 2->13         started        process3 file4 44 C:\Users\user\AppData\...\gBGRpfArWegoV.exe, PE32 7->44 dropped 46 C:\Users\user\AppData\Local\...\tmp9921.tmp, XML 7->46 dropped 48 C:\Users\...\UNAUTHORIZED  SWAP.pdf.exe.log, ASCII 7->48 dropped 66 Injects a PE file into a foreign processes 7->66 15 UNAUTHORIZED  SWAP.pdf.exe 17 12 7->15         started        20 schtasks.exe 1 7->20         started        22 Server.exe 4 11->22         started        24 schtasks.exe 1 11->24         started        26 Server.exe 11->26         started        28 Server.exe 11->28         started        30 Server.exe 13->30         started        32 schtasks.exe 13->32         started        34 Server.exe 13->34         started        signatures5 process6 dnsIp7 50 greataggy2.linkpc.net 194.5.98.46, 1008, 49742 DANILENKODE Netherlands 15->50 52 www.iptrackeronline.com 104.28.31.51, 443, 49743, 49744 CLOUDFLARENETUS United States 15->52 54 192.168.2.1 unknown unknown 15->54 42 C:\Users\user\AppData\Local\...\Server.exe, PE32 15->42 dropped 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->56 36 conhost.exe 20->36         started        38 conhost.exe 24->38         started        40 conhost.exe 32->40         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-12-09 10:45:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok77cxkd4vdxfrrz7b3pxvvrgiyqbaoipkozs7clbm6arue4v6pq._file
Verdict:
unknown
Similar samples:
1fc0f9704d3d6d03c8df4559dc784ebd7c1e2a38db56daf79297a3ab48e840b2
ImminentRAT
31736a54c77e7f44f952f55536eb4ac6d5863c9ed970a087c0d1cc801a558728
ImminentRAT
3bbed2bec4921aca55a13e5ccf12147bb43f164a915e9b1b0a0bfb9a54954409
ImminentRAT
5d8446a23b80e9b6cb7406c2ba81d606685cf11b24e9eb8309153a47b04f3aad
ImminentRAT
5e106d7b95627d982862e8d97f9b057632427008df0b994cd4b99e17c41a4c26
ImminentRAT
6d4d2a2d69e81b0f6b91a437aaf0869956306c347f0b2ed492168f95d6b24d93
ImminentRAT
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
ImminentRAT
8dd80fcf3dfd0cbc6c82a1f9154ed99e2cb6fea34d1384289f5a40064f207720
ImminentRAT
c7df51c40f5e04eeb7dac698fdf23964ad7bc16a7dd93fb47ea8dc6f8ea6cfd4
ImminentRAT
f2e2cb71a06ac2a95a02168fc3d91f160e6e07ca19c5e6d3d708a9a486dd3f92
ImminentRAT
+ 16 additional samples on MalwareBazaar
Result
Malware family:
imminent
Create hunting rule
Score:
  10/10
Tags:
family:imminent persistence spyware trojan
Link:
https://tria.ge/reports/201209-k6s9sczcha/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Imminent RAT
Unpacked files
SH256 hash:
72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f
MD5 hash:
e3424021b3602af8dabe14f09f8eff9b
SHA1 hash:
9028382c262476b45a2ad510b47aa29989564017
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
84bd5c640a374fd14bff2521ce446cc69de122d5985536bcb927eade14537c31
MD5 hash:
d82091a16e2735ef64475b0a9ff4b082
SHA1 hash:
188de7feb657ad2f8911db025bfde23fb9aee19e
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
dc1a92316c848ecd07d1fbc2fd60de6ea504a7077aa89a5ffc09f92d686f35fe
MD5 hash:
2089a7ad109b459abee9545f69ad6a75
SHA1 hash:
838b44a218ad069fd39736cffd707c9e2f3c5849
Detections:
win_blackshades_w0
Create hunting rule
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
0245467395e61c0e873612f38705e47a4b72acaaf0a3ba02ee65b20470488825
MD5 hash:
f93937b67a4a89ef91e122ddd30bb35c
SHA1 hash:
639378443c4d21130eecd653b9e3b18d8116a10a
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
d91dcdcfd802d98696833a5035d6a730dc075a9bcce8c1edd938a2dbf65142e0
MD5 hash:
4f7ed83ac54f289978ecdc9d23038ded
SHA1 hash:
c7edaf62a88ff283f79deceea012128a3a8a6141
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
baee7f0669b4c46110039f2d69a18b2f739669c257c9def875baf266dde372ae
MD5 hash:
01f32ae791553f65aec629901beb0240
SHA1 hash:
cc7e9944911511005a683406c11203c8df76512c
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
MD5 hash:
17ed442e8485ac3f7dc5b3c089654a61
SHA1 hash:
d3a17c1fdd6d54951141053f88bf8238dea0b937
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
SH256 hash:
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
MD5 hash:
0bd34aa29c7ea4181900797395a6da78
SHA1 hash:
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
Link:
https://www.unpac.me/results/d82392a1-bee0-4af9-9df9-e82d4dae529c/
Parent samples :
c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
e723709ebd1439aa76c850f99d7843b0125f5c8456a53ade128da884e650382e
ee5b17af1bea3ce53b9a6bb09c21f634b9465fe505a01177b9eb33943f3021d3
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ImminentRAT

rar c37f3ea689c8e3c99c116bdd55f20b0e1026c7ddd02bb83bf82aa201254a1917

ImminentRAT

Executable exe 72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f

(this sample)

  
Dropped by
MD5 f277ace5ff55bbbc5ce339a0b22cfe58
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107437/
  
Dropped by
SHA256 c37f3ea689c8e3c99c116bdd55f20b0e1026c7ddd02bb83bf82aa201254a1917

Comments