download:

Immybot.Agent.Ephemeral.exe.zip

Full analysis: https://app.any.run/tasks/703db276-746f-4396-a37c-9a81f93464e9
Verdict: Malicious activity
Analysis date: June 25, 2022, 08:13:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

496A3D5E0848E35BE5067444453E8CBB

SHA1:

F75A47C364C0E63CA85D8888CDE9722742D824A1

SHA256:

5CB85B227C46383CC5D0B2C02EBAA23BF330B332CB4A0C93E73F8510FC31AC44

SSDEEP:

196608:EuHNGTmfp6hWdyd1nzcHOyZeb2lh6vFHSMV5y8sJOJmhtxa3JL3dCMCqIRZxKGq9:JQTmR6hWUZzcuyZhlqSWR3JTdCMgZuGa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Application was dropped or rewritten from another process

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Loads dropped or rewritten executable

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Checks supported languages

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2824)
      • Immybot.Agent.Ephemeral.exe (PID: 2564)

    • Creates files in the program directory

      • Immybot.Agent.Ephemeral.exe (PID: 2564)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Immybot.Agent.Ephemeral.exe
ZipUncompressedSize: 32606936
ZipCompressedSize: 13569995
ZipCRC: 0x5ec84cc3
ZipModifyDate: 2022:06:13 11:05:02
ZipCompression: Deflated
ZipBitFlag: 0x0002
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe immybot.agent.ephemeral.exe

Process information

PID
CMD
Path
Indicators
Parent process
2564"C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rar$exa2824.1661\immybot.agent.ephemeral.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Immybot.Agent.Ephemeral.exe.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
1 019
Read events
1 001
Write events
18
Delete events
0

Modification events

(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2824) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Immybot.Agent.Ephemeral.exe.zip
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2824) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
175
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\Immybot.Agent.Ephemeral.runtimeconfig.jsonbinary
MD5:745F16D3B6ECCC56E19A6920A227C272
SHA256:D99E2E29915D65C53EB9E31575BD8B63F42DE0BED7779B9EF928D0EE105156E3
2824WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2824.1661\Immybot.Agent.Ephemeral.exeexecutable
MD5:263236CC89A9A56597BCEF88736AD7FE
SHA256:5AD4AAD2E61B3BF266C56287CF5674A931A5625E20BFF16AEB3785BFAEF17262
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\ja\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:0101A718D055DF45830452B30531C63A
SHA256:217987411428D111377040B7EBA976F2C882D74ECED88EBDB463CEDC9EC775FC
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\de\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:392249BE292366EBE120F190EAA4014F
SHA256:281361EDBF590847D301172D06039AE4510153654F1FFBED7A03FBEAE57ECE24
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\mscordaccore.dllexecutable
MD5:4D15DE029D625060C4C9923B892A0015
SHA256:A09CBB6FBDEDAA63E7BDD4BB690F280652F426FB239EB1BB950D776CE6DB4DD2
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\es\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:0859F86B78FF3531E97881827EEBB349
SHA256:84DE60ADCD41523264295E24C1EB96CC8AED87E50A362E9B9260281577E954C2
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\pl\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:96BCD44F4A5455D87BE767D66EB2D3E4
SHA256:7998A02CBDA0234C4466D1383AE737E495FA7F69AE8265851FED6B40824E51A9
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\fr\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:B4CE0CC93321A72F367EEB45756587F0
SHA256:472C44D738E2F98AB76564E0EE612B56D0B2950B3FFD951881AE86C75B1D23F9
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\it\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:1A9BFEB1970F426924C758B7E8175D71
SHA256:83AA03752AFCF0305C37CF512DB7003087708E87D8367369524ABE5559F11B98
2564Immybot.Agent.Ephemeral.exeC:\Users\admin\AppData\Local\Temp\.net\Immybot.Agent.Ephemeral\a04\zh-Hant\Microsoft.VisualStudio.Threading.resources.dllexecutable
MD5:00053DAFA005DBE1901352E8E45F2B58
SHA256:630F8366CAA390B0A07041164CF1F0A1390CF0CA3BED06997E1FCEAF148FFC5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Immybot.Agent.Ephemeral.exe.zip