imminent | ea7b64e60ffd4537f9978a3df9430e3eb3f5395ef632f16fd17f5945b829484b | Triage

Submit
Reports

Overview

overview

Static

static

3

9976f599e8...18.exe

windows7-x64

9976f599e8...18.exe

windows10-2004-x64

Sharing

General

Target

9976f599e88407d195ffc0ecce4ed38f_JaffaCakes118
Size

497KB
Sample

240605-2xlelsbc4t
MD5

9976f599e88407d195ffc0ecce4ed38f
SHA1

4a6f3eb8a1908caeef37628116c4c9caebf885b6
SHA256

ea7b64e60ffd4537f9978a3df9430e3eb3f5395ef632f16fd17f5945b829484b
SHA512

52cf9ed994659bf3079de762cdd27de83a79bd2a1b01334c80353777719988db538f850089eb24a9f72b2b2a2b9e050f776ef80154220d5679b99895493ec27d
SSDEEP

12288:/uCTD7DIh2R8cud2g4GGbIheZHT/SyMPLA8oMXC4NL:zfIh2gANGGb8IM0hMXb

Score

10^/10

imminent agilenet persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9976f599e88407d195ffc0ecce4ed38f_JaffaCakes118.exe

Resource

win7-20240508-en

imminent agilenet persistence spyware trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

9976f599e88407d195ffc0ecce4ed38f_JaffaCakes118.exe

Resource

win10v2004-20240426-en

imminent agilenet persistence spyware trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Targets

- Target
  
  9976f599e88407d195ffc0ecce4ed38f_JaffaCakes118
- Size
  
  497KB
- MD5
  
  9976f599e88407d195ffc0ecce4ed38f
- SHA1
  
  4a6f3eb8a1908caeef37628116c4c9caebf885b6
- SHA256
  
  ea7b64e60ffd4537f9978a3df9430e3eb3f5395ef632f16fd17f5945b829484b
- SHA512
  
  52cf9ed994659bf3079de762cdd27de83a79bd2a1b01334c80353777719988db538f850089eb24a9f72b2b2a2b9e050f776ef80154220d5679b99895493ec27d
- SSDEEP
  
  12288:/uCTD7DIh2R8cud2g4GGbIheZHT/SyMPLA8oMXC4NL:zfIh2gANGGb8IM0hMXb
Score

10^/10

imminent agilenet persistence spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

imminentagilenetpersistencespywaretrojan

behavioral2

imminentagilenetpersistencespywaretrojan

© 2018-2024

Terms | Privacy