Malware Analysis Report

2024-11-30 15:59

Sample ID 220703-t6pjmaghem
Target 3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633
SHA256 3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633

Threat Level: Known bad

The file 3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633 was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Drops desktop.ini file(s)

Drops file in Windows directory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-03 16:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-03 16:40

Reported

2022-07-03 16:52

Platform

win10v2004-20220414-en

Max time kernel

130s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe"

Signatures

Imminent RAT

trojan spyware imminent

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe

"C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
US 93.184.221.240:80 tcp
US 20.42.72.131:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp

Files

memory/2612-130-0x00000000750E0000-0x0000000075691000-memory.dmp

memory/2612-131-0x00000000750E0000-0x0000000075691000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-03 16:40

Reported

2022-07-03 16:52

Platform

win7-20220414-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe"

Signatures

Imminent RAT

trojan spyware imminent

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe

"C:\Users\Admin\AppData\Local\Temp\3b5ea011e10d7359c4491366b2bf74ab10f75b4773e000923ad2d734a05b5633.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp
US 8.8.8.8:53 thekewlhost123.duckdns.org udp
N/A 10.64.32.237:54984 thekewlhost123.duckdns.org tcp

Files

memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmp

memory/960-55-0x0000000074940000-0x0000000074EEB000-memory.dmp

memory/960-56-0x0000000074940000-0x0000000074EEB000-memory.dmp