Malware Analysis Report

2024-11-30 16:02

Sample ID 220621-x8jypsbbbm
Target 2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f
SHA256 2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f

Threat Level: Known bad

The file 2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops desktop.ini file(s)

Drops file in Windows directory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-21 19:35

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-21 19:31

Reported

2022-06-21 19:42

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe

"C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 adam150994.mooo.com udp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
US 20.189.173.10:443 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
DE 67.24.27.254:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
BE 8.238.110.126:80 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp

Files

memory/1964-130-0x0000000074660000-0x0000000074C11000-memory.dmp

memory/1964-131-0x0000000074660000-0x0000000074C11000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-21 19:31

Reported

2022-06-21 19:41

Platform

win7-20220414-en

Max time kernel

152s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe"

Signatures

Imminent RAT

trojan spyware imminent

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe

"C:\Users\Admin\AppData\Local\Temp\2fab9ed1f70faf53129a073e35a50ca0d759ea49d1a9871da2340c426d0f3a2f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 adam150994.mooo.com udp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp
N/A 127.0.0.2:1605 tcp

Files

memory/2040-54-0x0000000075841000-0x0000000075843000-memory.dmp

memory/2040-55-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/2040-56-0x0000000074720000-0x0000000074CCB000-memory.dmp