MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ImminentRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f
SHA3-384 hash: 0efc4df6cbb7f0fe6d626538e624dda19159dfa99f740c4c7c29467084fabac1fbfffa7ef1d1ce36c66ebd82d9be84b8
SHA1 hash: fdbd4eab27d7f96f893d4d9bc8724c2986239a58
MD5 hash: ac3ce8e8920a0b504cf0a10e204d2f3f
humanhash: cardinal-mountain-whiskey-hawaii
File name:SecuriteInfo.com.Trojan.PackedNET.832.3222.3250
Download: download sample
Signature ImminentRAT
Create hunting rule
File size:911'872 bytes
First seen:2021-06-10 01:08:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:fQNHmAUA2eLL0L/8PW6tBRwJtYDN6LZTI:e8SLu/UdtjwJtgN6
Threatray 77 similar samples on MalwareBazaar
TLSH FF15F035274C5954E17F533590B1120493F0F507D322EA8EFEE898DA2EA27C2E3AF656
Reporter SecuriteInfoCom
Tags:exe ImminentRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.832.3222.3250
Verdict:
Malicious activity
Analysis date:
2021-06-10 09:58:58 UTC
Tags:
rat imminent trojan
Link:
https://app.any.run/tasks/f4613cf0-f944-4c96-bb92-2ca626e8d7c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/165728/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.832.3222.3250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Imminent
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/799912
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Detected Imminent RAT
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Imminent
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-09 23:29:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
50
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1fc0f9704d3d6d03c8df4559dc784ebd7c1e2a38db56daf79297a3ab48e840b2
ImminentRAT
31736a54c77e7f44f952f55536eb4ac6d5863c9ed970a087c0d1cc801a558728
ImminentRAT
418b4dcbffc1a5a307147cccf7476293945dd18a12ae9c00ef2b942884a8427a
ImminentRAT
5e106d7b95627d982862e8d97f9b057632427008df0b994cd4b99e17c41a4c26
ImminentRAT
72bff15d43e54772c639f876fbd6b132310081c87a9d997c4b0b3c08d09caf9f
ImminentRAT
975cc3f3bd2bc6b0c3ba35733f0a3aee2b7772ab0410be735bf6f708cd379820
ImminentRAT
9f505b6b238543bdf2f4dedea6e0d2d2b72f285ebcea82b76311878975857b62
ImminentRAT
b7ef9f5137720932895dbc0e1231e71451eace1e82f2baac3e208c969ec1e966
ImminentRAT
c7df51c40f5e04eeb7dac698fdf23964ad7bc16a7dd93fb47ea8dc6f8ea6cfd4
ImminentRAT
dc1f93435a858fed72eee637cb23ad024ba309ec030dfa53f2495cb16776ccfd
ImminentRAT
+ 67 additional samples on MalwareBazaar
Result
Malware family:
imminent
Create hunting rule
Score:
  10/10
Tags:
family:imminent spyware trojan
Link:
https://tria.ge/reports/210610-qva3jq1722/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Imminent RAT
Unpacked files
SH256 hash:
e987e066b6b1ca5c3698a367d405b671a7f33e388289cb6b191faf4796478596
MD5 hash:
8b3814abb5e9cd9fb5da34bc71a4afc2
SHA1 hash:
8005c030dd9d0c1f146d18c4597f0a0f55e16577
Link:
https://www.unpac.me/results/a3bdfe91-181a-4f97-9f38-1aec4c845b0d/
SH256 hash:
b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f
MD5 hash:
ac3ce8e8920a0b504cf0a10e204d2f3f
SHA1 hash:
fdbd4eab27d7f96f893d4d9bc8724c2986239a58
Link:
https://www.unpac.me/results/a3bdfe91-181a-4f97-9f38-1aec4c845b0d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

ImminentRAT

Executable exe b1a76dd042b5b4c825472ae3d0ecbdbe9b73049c457814aaa54997e16a37a33f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1347676/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/165728/

Comments