imminent | a5eb9c7fce3e3b97a05265f49936170b4a4009d611cf0cc16ec802ddadc433ad

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URGENT QUOTATION.exe
Size

970KB
MD5

d11648713e4787d3f44fc74dbb2528d0
SHA1

ae249089905bedbe36285620503d744b7bd50227
SHA256

53d7bc7f973e349fd37b7770de19baa1505222077d12a7f72dc62119a9f28852
SHA512

b9dd63cb0f7b681c0f72d4fa81e614f79953d356c3a56f6bd41e05a75284bcc7c54763b9c9b1e0ff8f1d607320f06d72f7940f441bb0750e60d7745f0159d85b
SSDEEP

24576:8sOT8w1RpEJrOAerGasN/9GwHDNKBVH1iU76:8R8MjmrUWclB6J

Score

10^/10

imminent agilenet spyware trojan

Malware Config

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1844-9-0x0000000005F80000-0x0000000005F8A000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 2120	1844	URGENT QUOTATION.exe	89

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2120	URGENT QUOTATION.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	URGENT QUOTATION.exe
Token: SeDebugPrivilege	2120	URGENT QUOTATION.exe
Token: 33	2120	URGENT QUOTATION.exe
Token: SeIncBasePriorityPrivilege	2120	URGENT QUOTATION.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2120	URGENT QUOTATION.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89
PID 1844 wrote to memory of 2120	1844	URGENT QUOTATION.exe	89

C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION.exe
  "C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2120

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENT QUOTATION.exe.log

Filesize
706B

MD5
cf2851ba13114db7d56a67a4ce658f26

SHA1
0cfeba1ac67be285397101c1f1cdd6149ae73449

SHA256
ca417698e0eb796662c3f6f8268cf462808ceb9e01dcdb877189d92ad01d9299

SHA512
3dbc6c689b17e19e456badfbbb52352b18778b4e7d310378d0b9f6f9cc95951d7eea3cec547ddb5b2f3dcd38d8c34f6e484ba29d0dd80b10f1248df5756adde1

Download Submit
memory/1844-6-0x00000000059D0000-0x00000000059DE000-memory.dmp

Filesize
56KB

Download
memory/1844-2-0x0000000005960000-0x0000000005990000-memory.dmp

Filesize
192KB

Download
memory/1844-3-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1844-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/1844-5-0x00000000059C0000-0x00000000059C8000-memory.dmp

Filesize
32KB

Download
memory/1844-15-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1844-7-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/1844-8-0x0000000006360000-0x0000000006904000-memory.dmp

Filesize
5.6MB

Download
memory/1844-9-0x0000000005F80000-0x0000000005F8A000-memory.dmp

Filesize
40KB

Download
memory/1844-10-0x0000000006B10000-0x0000000006BAC000-memory.dmp

Filesize
624KB

Download
memory/1844-11-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1844-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/1844-1-0x0000000000F60000-0x0000000001058000-memory.dmp

Filesize
992KB

Download
memory/2120-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2120-16-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2120-17-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/2120-18-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2120-19-0x00000000055D0000-0x000000000567E000-memory.dmp

Filesize
696KB

Download
memory/2120-20-0x0000000008A00000-0x0000000008A28000-memory.dmp

Filesize
160KB

Download
memory/2120-21-0x00000000076C0000-0x0000000007726000-memory.dmp

Filesize
408KB

Download
memory/2120-22-0x0000000007770000-0x0000000007788000-memory.dmp

Filesize
96KB

Download
memory/2120-23-0x0000000007D10000-0x0000000007D26000-memory.dmp

Filesize
88KB

Download
memory/2120-24-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/2120-30-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2120-31-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download