imminent | 4ac320020cc130f74bed1a16e367fa883fb19be2ed742995448ad0edc2e2c952 | Triage

Submit
Reports

Overview

overview

Static

static

1

158c84cc65...18.exe

windows7-x64

158c84cc65...18.exe

windows10-2004-x64

Sharing

General

Target

158c84cc65140c2ee6327ad82e294af3_JaffaCakes118
Size

893KB
Sample

240505-ct33tabh5w
MD5

158c84cc65140c2ee6327ad82e294af3
SHA1

2cdc05e4d6c0f2beca3ecc0ab3b45b66896538b2
SHA256

4ac320020cc130f74bed1a16e367fa883fb19be2ed742995448ad0edc2e2c952
SHA512

845cec3bb37fe9e3b38e7048ef2cd6294c095d244bf71b8b367c1aa4ffa4cf1804c38dea1cd33e263401e0c0e31d8583e3d36b25c974a66fc1a0b4efafb0a243
SSDEEP

12288:agDdArMrjqK1XXRoRk+9FUn+HGRkhumTQXYPcOvXR:agJAIn7xXR1+QkhuG53vXR

Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

158c84cc65140c2ee6327ad82e294af3_JaffaCakes118.exe

Resource

win7-20240220-en

imminent zgrat agilenet persistence rat spyware trojan

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

158c84cc65140c2ee6327ad82e294af3_JaffaCakes118.exe

Resource

win10v2004-20240426-en

imminent zgrat agilenet persistence rat spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  158c84cc65140c2ee6327ad82e294af3_JaffaCakes118
- Size
  
  893KB
- MD5
  
  158c84cc65140c2ee6327ad82e294af3
- SHA1
  
  2cdc05e4d6c0f2beca3ecc0ab3b45b66896538b2
- SHA256
  
  4ac320020cc130f74bed1a16e367fa883fb19be2ed742995448ad0edc2e2c952
- SHA512
  
  845cec3bb37fe9e3b38e7048ef2cd6294c095d244bf71b8b367c1aa4ffa4cf1804c38dea1cd33e263401e0c0e31d8583e3d36b25c974a66fc1a0b4efafb0a243
- SSDEEP
  
  12288:agDdArMrjqK1XXRoRk+9FUn+HGRkhumTQXYPcOvXR:agJAIn7xXR1+QkhuG53vXR
Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan
- Detect ZGRat V1
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

imminentzgratagilenetpersistenceratspywaretrojan

behavioral2

imminentzgratagilenetpersistenceratspywaretrojan

© 2018-2024

Terms | Privacy