download:

Immybot.Agent.Ephemeral.exe.zip

Full analysis: https://app.any.run/tasks/703db276-746f-4396-a37c-9a81f93464e9
Verdict: Malicious activity
Analysis date: June 25, 2022, 08:13:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

496A3D5E0848E35BE5067444453E8CBB

SHA1:

F75A47C364C0E63CA85D8888CDE9722742D824A1

SHA256:

5CB85B227C46383CC5D0B2C02EBAA23BF330B332CB4A0C93E73F8510FC31AC44

SSDEEP:

196608:EuHNGTmfp6hWdyd1nzcHOyZeb2lh6vFHSMV5y8sJOJmhtxa3JL3dCMCqIRZxKGq9:JQTmR6hWUZzcuyZhlqSWR3JTdCMgZuGa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Application was dropped or rewritten from another process

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Loads dropped or rewritten executable

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Checks supported languages

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Creates files in the program directory

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Immybot.Agent.Ephemeral.exe
ZipUncompressedSize: 32606936
ZipCompressedSize: 13569995
ZipCRC: 0x5ec84cc3
ZipModifyDate: 2022:06:13 11:05:02
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe immybot.agent.ephemeral.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exa2824.1661\immybot.agent.ephemeral.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Immybot.Agent.Ephemeral.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 019
Read events
1 001
Write events
18
Delete events
0

Modification events

(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Immybot.Agent.Ephemeral.exe.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
175
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exeexecutable
MD5:263236CC89A9A56597BCEF88736AD7FE
SHA256:5AD4AAD2E61B3BF266C56287CF5674A931A5625E20BFF16AEB3785BFAEF17262
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\fr\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:B4CE0CC93321A72F367EEB45756587F0
SHA256:472C44D738E2F98AB76564E0EE612B56D0B2950B3FFD951881AE86C75B1D23F9
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\clrcompression.dllexecutable
MD5:DDF6604FDAA27C01F9CFD2D907D211D1
SHA256:1C1BD1E20C61C06CD782519F40B6199C24CEA0FCAD5828B4BD16DAAA273843F2
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\clrjit.dllexecutable
MD5:DBB80749FAB608513827F72D80B67A04
SHA256:C217F044903A5AEB08BB83BE0A4642C4425F981D7052627383814956EF1AFF4B
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\coreclr.dllexecutable
MD5:DCCB3D27157909F4067E68FBFA29D53B
SHA256:53F214848A3D1E2A6014DA042AE9ACDC9B0429163E1ED9C8E7C699119D585BD5
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\cs\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:1219985D40A86F3A5F0A9A0A7DA86CD9
SHA256:82518AE8D1649A964A17452B718FDF4F88A1CAF4BA9388F168785CE476357B3C
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\mscordaccore.dllexecutable
MD5:4D15DE029D625060C4C9923B892A0015
SHA256:A09CBB6FBDEDAA63E7BDD4BB690F280652F426FB239EB1BB950D776CE6DB4DD2
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\pt-BR\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:36865AF0A2F0AFEC6C7DA0274E5BE2CD
SHA256:AC38F9C769ADF11A152E361D6910A79DF2228DA85E81E3CE7565493CC82C6394
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\zh-Hans\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:41060934DEEF0948C200C6EC2068F28E
SHA256:CDEFEC92B5D3E6FB5BCECBFBBC6A73914CD4A0EFADE67F6DEE57760474DD3C45
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\de\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:392249BE292366EBE120F190EAA4014F
SHA256:281361EDBF590847D301172D06039AE4510153654F1FFBED7A03FBEAE57ECE24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Immybot.Agent.Ephemeral.exe.zip