imminent | ceb87ebc670d67f91d08ccc0ea6c6a24f974e99890839d5147f7feb597b51489 | Triage

Submit
Reports

Overview

overview

Static

static

3

336e6d4b9e...18.exe

windows7-x64

336e6d4b9e...18.exe

windows10-2004-x64

Sharing

General

Target

336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118
Size

564KB
Sample

240511-h9z9rade3s
MD5

336e6d4b9e8b8ac0d191a99d992e40b0
SHA1

d204e15e169d909171fbae5a8445c8f974d316c9
SHA256

ceb87ebc670d67f91d08ccc0ea6c6a24f974e99890839d5147f7feb597b51489
SHA512

c52e6ce618810df0719fe647b8e70ff275199bb4a0d5628429de40b16d466b6d4538704024f03db8fad91b658c8d351637ca016eba1d8566af736fb3035029dd
SSDEEP

12288:sREMc3GfziFWwrOO4pe+F3Q4/Pa6K6g+RgDNEV1850RixGs4Pi7ot:sqMqyFwrODpe+C36K6g+R6EHe0RixP4f

Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe

Resource

win7-20240221-en

imminent zgrat agilenet persistence rat spyware trojan

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118.exe

Resource

win10v2004-20240508-en

imminent zgrat agilenet persistence rat spyware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  336e6d4b9e8b8ac0d191a99d992e40b0_JaffaCakes118
- Size
  
  564KB
- MD5
  
  336e6d4b9e8b8ac0d191a99d992e40b0
- SHA1
  
  d204e15e169d909171fbae5a8445c8f974d316c9
- SHA256
  
  ceb87ebc670d67f91d08ccc0ea6c6a24f974e99890839d5147f7feb597b51489
- SHA512
  
  c52e6ce618810df0719fe647b8e70ff275199bb4a0d5628429de40b16d466b6d4538704024f03db8fad91b658c8d351637ca016eba1d8566af736fb3035029dd
- SSDEEP
  
  12288:sREMc3GfziFWwrOO4pe+F3Q4/Pa6K6g+RgDNEV1850RixGs4Pi7ot:sqMqyFwrODpe+C36K6g+R6EHe0RixP4f
Score

10^/10

imminent zgrat agilenet persistence rat spyware trojan
- Detect ZGRat V1
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

imminentzgratagilenetpersistenceratspywaretrojan

behavioral2

imminentzgratagilenetpersistenceratspywaretrojan

© 2018-2024

Terms | Privacy