imminent | 448fe83a93d937d4435f81bc208ed2ea46d6e983e13f4f4ec9a69d1c25d3ecd5 | Triage

Submit
Reports

Overview

overview

Static

static

3

e21ce3b569...18.exe

windows7-x64

7

e21ce3b569...18.exe

windows10-2004-x64

Sharing

General

Target

e21ce3b569be0bce5f0524bf09851718_JaffaCakes118
Size

627KB
Sample

240915-kqn4gsvfkf
MD5

e21ce3b569be0bce5f0524bf09851718
SHA1

93fcdd20188e4d2cf5c1cdb048d680dfb46ce91e
SHA256

448fe83a93d937d4435f81bc208ed2ea46d6e983e13f4f4ec9a69d1c25d3ecd5
SHA512

315a46d109b3a91420ce508bedefec3d47cfecb910014852fd2c86d18c2121a35649513980257214e898d135855141dceeb1031bc0189c482e37de2f8a7d858f
SSDEEP

12288:dXghTYSNmQIDFye/FoJYJCZFweKwarO2PjdHc8ES3J:2N1mQID3/FoKJCZXKdCMXES

Score

10^/10

imminent agilenet discovery persistence spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe

Resource

win7-20240903-en

agilenet discovery

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

e21ce3b569be0bce5f0524bf09851718_JaffaCakes118.exe

Resource

win10v2004-20240802-en

imminent agilenet discovery persistence spyware trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  e21ce3b569be0bce5f0524bf09851718_JaffaCakes118
- Size
  
  627KB
- MD5
  
  e21ce3b569be0bce5f0524bf09851718
- SHA1
  
  93fcdd20188e4d2cf5c1cdb048d680dfb46ce91e
- SHA256
  
  448fe83a93d937d4435f81bc208ed2ea46d6e983e13f4f4ec9a69d1c25d3ecd5
- SHA512
  
  315a46d109b3a91420ce508bedefec3d47cfecb910014852fd2c86d18c2121a35649513980257214e898d135855141dceeb1031bc0189c482e37de2f8a7d858f
- SSDEEP
  
  12288:dXghTYSNmQIDFye/FoJYJCZFweKwarO2PjdHc8ES3J:2N1mQID3/FoKJCZXKdCMXES
Score

10^/10

agilenet discovery imminent persistence spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetdiscovery

behavioral2

imminentagilenetdiscoverypersistencespywaretrojan

© 2018-2024

Terms | Privacy