MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ImminentRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d
SHA3-384 hash: 7e587b10ff0a64332e358936e117c8c21d784d252c4f474a85869d2e589950e5f293e6dad58b460d6fde42824ef8e2b6
SHA1 hash: e0e41bd431dec7e2f594223e7f03790cee4deeef
MD5 hash: f2c16a5c41c530b3df4dedb68e2444b5
humanhash: golf-kansas-montana-don
File name:SIM Swap Document Request.pdf.exe
Download: download sample
Signature ImminentRAT
Create hunting rule
File size:936'064 bytes
First seen:2020-11-05 09:36:12 UTC
Last seen:2020-11-05 11:51:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:BAzsyOar/nRJn+0yH09UI0rvB5WOsG+W8d4b0Y+SwI:B6slar/nRJ+9H09UPLpgp
Threatray 10 similar samples on MalwareBazaar
TLSH 4C15127AD555FDA2CC344A303574F4281A3E6F4278198D6E7C0DF09AABB73923494E8E
Reporter abuse_ch
Tags:exe ImminentRAT RAT


Avatar
abuse_ch
Malspam distributing ImminentRAT:

HELO: vps41306.inmotionhosting.com
Sending IP: 104.152.109.9
From: Augusta Ihuoma [ MTN Nigeria - S&D ] <Augusta.Ihuoma@mtn.com>
Subject: SIM Swap Document Request (URGENT)
Attachment: SIM Swap Document Request.rar (contains "SIM Swap Document Request.pdf.exe")

ImminentRAT C2:
greataggy2.linkpc.net

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Agenttesla
Create hunting rule
Link:
https://www.capesandbox.com/analysis/83166/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Launching a process
DNS request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Imminent AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521200
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Imminent RAT
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Imminent
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d/
Threat name:
ByteCode-MSIL.Trojan.Skeeyah
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 03:23:16 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=246k4tieu7jczbp2arukjgdvgvskcp54de4vlioab4jk7dkk5rwq._file
Verdict:
unknown
Similar samples:
1aa2ba9a2898cc652c73b06bc862739c8a996f9f241b3c0dfd82115583b6e887
ImminentRAT
1fc0f9704d3d6d03c8df4559dc784ebd7c1e2a38db56daf79297a3ab48e840b2
ImminentRAT
2f3474e57e4d3df1cedeef87e3716fa9143a63cf7ffdd9273273f41c8a8bc223
ImminentRAT
31736a54c77e7f44f952f55536eb4ac6d5863c9ed970a087c0d1cc801a558728
ImminentRAT
32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
ImminentRAT
33f3c581f4bc6cb4c7e6b63a6857220ab404020f188650f11bf0ec55e96877a4
ImminentRAT
5d8446a23b80e9b6cb7406c2ba81d606685cf11b24e9eb8309153a47b04f3aad
ImminentRAT
5e106d7b95627d982862e8d97f9b057632427008df0b994cd4b99e17c41a4c26
ImminentRAT
83ef26bdf4b6b513417a97c8997aa2152bc0fb0f0af9d0b30cf6a46d4959ce38
ImminentRAT
89e9fd57dffefa56428cdea17fb31951591e0f7fbe8d25859dd7c8221f048d3d
ImminentRAT
Result
Malware family:
imminent
Create hunting rule
Score:
  10/10
Tags:
family:imminent persistence spyware trojan
Link:
https://tria.ge/reports/201105-ddy5ak8zrn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Imminent RAT
Unpacked files
SH256 hash:
d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d
MD5 hash:
f2c16a5c41c530b3df4dedb68e2444b5
SHA1 hash:
e0e41bd431dec7e2f594223e7f03790cee4deeef
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
7fdbcd893d071c356877f383feb8309fc9e3a9980c1856a218c0b061180b4867
MD5 hash:
6bf49bfc7a4b3ed4e53dec7c207c8fb1
SHA1 hash:
1a6c99cb6cc0d44aca04846b1c9cbff5ad4cf6f4
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
e3da0f31ddcf0579fb1d13e8aa960e6473b016b45984c028092e2dea2bdb805f
MD5 hash:
d7524c09bbc209d1872239d58bc8ba36
SHA1 hash:
cce51689136d98ee8e6978459714c2dd6db4702f
Detections:
win_blackshades_w0
Create hunting rule
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
Parent samples :
d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d
03b3a862ce340a8351d7dfe88cb8e864ba8d0db6c7d0e8089c7c4453b78f75f6
c7df51c40f5e04eeb7dac698fdf23964ad7bc16a7dd93fb47ea8dc6f8ea6cfd4
SH256 hash:
f7166a9ae1a3b82717b60e70a7cf67e7e832f5d4a2eceaa145f36ad85c81ef06
MD5 hash:
a6878836577010d7a0f80dd104b33922
SHA1 hash:
52668a74402f3705e71e86703eed18604235c561
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
0245467395e61c0e873612f38705e47a4b72acaaf0a3ba02ee65b20470488825
MD5 hash:
f93937b67a4a89ef91e122ddd30bb35c
SHA1 hash:
639378443c4d21130eecd653b9e3b18d8116a10a
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
d91dcdcfd802d98696833a5035d6a730dc075a9bcce8c1edd938a2dbf65142e0
MD5 hash:
4f7ed83ac54f289978ecdc9d23038ded
SHA1 hash:
c7edaf62a88ff283f79deceea012128a3a8a6141
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
baee7f0669b4c46110039f2d69a18b2f739669c257c9def875baf266dde372ae
MD5 hash:
01f32ae791553f65aec629901beb0240
SHA1 hash:
cc7e9944911511005a683406c11203c8df76512c
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b
MD5 hash:
17ed442e8485ac3f7dc5b3c089654a61
SHA1 hash:
d3a17c1fdd6d54951141053f88bf8238dea0b937
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
SH256 hash:
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d
MD5 hash:
0bd34aa29c7ea4181900797395a6da78
SHA1 hash:
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8
Link:
https://www.unpac.me/results/93893f8f-af30-44d6-bc07-7d04da586ffe/
Parent samples :
c21aa7be1ee9b32dd1d19f84b901f7bcd410584e89b570051a9603e547158d42
e723709ebd1439aa76c850f99d7843b0125f5c8456a53ade128da884e650382e
ee5b17af1bea3ce53b9a6bb09c21f634b9465fe505a01177b9eb33943f3021d3
4e90fa3f4197c83ee858b522e2a99a8145da5e0f972f06a9b825e4a2781dc550
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bf8355ac7d31876eb84a2d49806837fa

ImminentRAT

Executable exe d73cae4d04a7d22c85fa0468a498753564a13fbc193955a1c00f12af8d4aec6d

(this sample)

  
Dropped by
MD5 bf8355ac7d31876eb84a2d49806837fa
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83166/

Comments