Imminent Monitor

#26805 by Xylitol
Fri Sep 25, 2015 10:44 pm

Imminent Monitor RAT dropped via social engineering.
> https://blog.malwarebytes.org/social-en ... t-scanner/

• dns: 1 ›› ip: 160.153.16.36 - adress: FACEBOOKSECURITY.SYSTEMS
• dns: 1 ›› ip: 160.153.16.36 - adress: FACEBOOKSECURYTI.COM
• dns: 1 ›› ip: 160.153.16.36 - adress: AVAST.SERVICES

RAT: https://www.virustotal.com/en/file/cf41 ... 443215741/
• dns: 1 ›› ip: 5.148.254.247 - adress: NNI.NO-IP.BIZ
• dns: 2 ›› ip: 104.28.5.47 - adress: IMMINENTMETHODS.INFO

Code: Select all

public enum ChatPacket : byte
public enum Class_66 : byte
public enum Class_82
public enum CommandPromptPacket : byte
public enum ConnectionSocketPacket : byte
public enum CryptoPacket : byte
public enum ExecutePacket : byte
public enum FastTransferPacket : byte
public enum FilePacket : byte
public enum FileThumbnailGallery : byte
public enum KeyLoggerPacket : byte
public enum MalwareRemovalPacket : byte
public enum MessageBoxPacket : byte
public enum MicrophonePacket : byte
public enum MouseActionPacket : byte
public enum MouseButtonPacket : byte
public enum PacketHeader : byte
public enum PasswordRecoveryPacket : byte
public enum PluginPacket : byte
public enum ProcessPacket : byte
public enum ProxyPacket : byte
public enum RegistryPacket : byte
public enum RemoteDesktopPacket : byte
public enum ScriptPacket : byte
public enum SpecialFolderPacket : byte
public enum StartupPacket : byte
public enum TcpConnectionPacket : byte
public enum ThumbnailPacket : byte
public enum TorrentPacket : byte
public enum TransferHeader : byte
public enum WebcamPacket : byte
public enum WindowPacket : byte

Strings:

Code: Select all

_PROFILER
_ENABLE_PROFILING
nni.no-ip.biz
Not Connected
Connecting to {0}:{1}...
Disconnected:
Connected.
Client Exception:
Exception:
Operating System: {0}
Anti-Virus: {0}
Computer Name: {0}
Graphics Card: {0}
Battery: {0}
MAC Address: {0}
Unique Identifier: {0}
Client Location: {0}
Screens: {0}
Firewall: {0}
Ram: {0}
Ram Usage: {0}%
Last Reboot: {0}
Client Identifier: {0}
Processor: {0}
Computer Username: {0}
Privileges: {0}
LAN: {0}
Failed to reset encryption key
Disconnected
Connected
Plugin Unloaded: {0}
Failed to disconnect all sockets
Connecting To:
directshow
ed87aa37-d690-45ac-8018-37d5b21ea083
998877665544332211
f089a9b1-c5b0-48fe-ad5e-fdd4fd174945
a82eef0c-96d8-4530-a332-1b6d62ff1dfd
258095f4-97d7-4554-9002-b7bd8c8cb0f9
0c0a1bf1-1548-4212-88b2-e5c66e51dc1c
1b950903-14e3-4138-b5b4-439c285904a0
0dee5e53-ed03-407b-bbca-17536efd0c6d
502b32b8-b6b2-46ef-96f6-72f3cd468db9
a076ba2f-f9bd-4c00-a3e2-21d215d713d3
f61d4b2d-0632-4767-818f-cfa38b759607
image/jpeg
Argument 'channels' value must be >= 1.
Failed to open wav device, error:
Argument 'samplesPerSec' value must be >= 8000.
Argument 'bitsPerSample' value must be >= 8.
Failed to start wav device, error:
Failed to stop wav device, error:
Error adding wave in buffer, error:
WavRecorder
outputDevice
Audio data is not n * BlockSize.
audioData
cbSize:
nBlockAlign:
wBitsPerSample:
nSamplesPerSec:
nAvgBytesPerSec:
wFormatTag:
nChannels:
Unable to change this property while socket is in use.
Value must be greater than 0.
Value must be greater than or equal to 85000.
Failed to process.
BytesRead < 0
BytesRead = 0
Unable to read data from stream.
Packet size exceeds MaxPacketSize.
data.Length: {0} SendIndex: {1} _BufferSize: {2} Offset: {3}
Unable to send data stream.
File downloaded & updated
File downloaded & executed
Chat - You are speaking with
userprofile
SAPI.spvoice
{0}\{1}{2}
Downloading file
\Imminent\Logs\
dd-MM-yyyy
Shell_TrayWnd
shutdown
Shell_traywnd
set CDAudio door closed
set CDAudio door open
Capacity
Failed to load SubKeys
SystemDrive
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Listening
Established
STATE_LAST_ACK
SYN_RCVD
TIME_WAIT
Close Wait
FIN_WAIT1
FIN_WAIT2
SYN_SENT
DELETE_TCB
\Imminent\Plugins\
Plugin Loaded:
Downloading miner data
This client is already mining
DownloadData
Miner killed
Unable to start mining
Started mining successfully
-o {0} -u {1} -p {2} -a scrypt -I {3} -T {4}
Miner started:
-o {0} -u {1} -p {2} -a sha256  -I {3} -T {4}
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
\\.\DISPLAY1
\Google\Chrome\User Data\Default\Login Data
password_value
origin_url
username_value
Google Chrome
logins.json
Mozilla Firefox\
Mozilla\Firefox\Profiles
"hostname":".*",
Mozilla Firefox
"encryptedUsername":".*",
"encryptedPassword":".*",
Application: {0}
Hostname: {1}
Username: {2}
Password: {3}
SQLite format 3
ssutil3.dll
mozsqlite3.dll
msvcr100.dll
msvcp100.dll
sqlite3.dll
nspr4.dll
plds4.dll
plc4.dll
mozcrt19.dll
NSS_Init
nssutil3.dll
mozglue.dll
\nss3.dll
NSS_Shutdown
PK11_FreeSlot
PK11_GetInternalKeySlot
PK11_Authenticate
NSSBase64_DecodeBuffer
PK11SDR_Decrypt
Substring
\uTorrent\uTorrent.exe
\BitTorrent\bittorrent.exe
\BitTorrent\BitTorrent.exe
\Vuze\Azureus.exe
\Azureus\torrents\
Seeding file
 with BitTorrent
 with uTorrent
Failed to seed, torrent client not installed.
/Directory
BitTorrent
uTorrent
SYSTEM RESTORE
a4061daf-400e-4ebd-93e2-3b8d7685c47f
rundll32.exe
Imminent Monitor
ButtonDisconnect
You are being monitored by:
LabelUser
Build Settings:
SmartDNS = {0}
EnableStartup = {0}
HideFile = {0}
Zonechecks = {0}
RegistryPersistence = {0}
DisableTaskManager = {0}
KernalSecurity = {0}
InstallPath = {0}
MeltFile = {0}
Mutex = {0}
ClientID = {0}
Host = {0}
Port = {0}
HiddenMode = {0}
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{0}\{1}\{2}
\Imminent\Path.dat
client.log
/C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "
:Zone.Identifier
taskmgr.exe
\Imminent\
/C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
application/x-www-form-urlencoded
U2V0V2luZG93c0hvb2tFeEE=
GetWindowTextA
ClientLoaderForm.resources
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
MAP_GETCOUNTRY
CryptUnprotectData
Blackshades NET
VS_VERSION_INFO
LookupAccountNameA
GetExecutingAssembly
WSAStartup
SetThreadContext
cmemoryexecute
ZwUnmapViewOfSection
Spyware.NanoCore
Keylogger.
Spyware.
Injector.
Spyware.DarkComet
Attempting to kill process
Process killed
Attempting to remove file
File removed
File could not be removed, removing key
HKEY_CURRENT_USER
Key removed
HKEY_LOCAL_MACHINE
Key could not be removed
Infection removed!
Infection could not be removed
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
Laptop (
% Battery)
Desktop (No Battery)
Administrator
 minutes
SELECT * FROM Win32_VideoController
Graphics Card Not Found
InstancesOf
Win32_Processor
winmgmts:
winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2
ExecQuery
Select * from AntiVirusProduct
displayname
winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter
Not Available
Couldn't get AV!
SELECT * FROM FirewallProduct
Couldn't get FW!
[{0}] {1}
\Imminent\Geo.dat
http://www.iptrackeronline.com/
sampleKey
<td align="center" class="row1" width="15%">Country<br><input type="text" name="T2" size="20" value=".*"></td>
<td align="center" class="row2" width="15%">Region.*<br><input type="text" name="T8" size="20" value=".*"></td>
<td align="center" class="row1" width="15%">City<br><input type="text" name="T9" size="20" value=".*"></td>
<td align="center" class="row2" width="15%">ISP<br><input type="text" name="T7" size="20" value=".*"></td>
<td align="center" class="row2" width="15%">Latitude<br><input type="text" name="T12" size="20" value=".*"></td>
<td align="center" class="row1" width="15%">Longitude<br><input type="text" name="T13" size="20" value=".*"></td>
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
http://www.iptrackeronline.com/

Attachments

ImminentMonitor.zip

infected
(1.89 MiB) Downloaded 55 times

Registration Problems and FAQ - Rules For Malware Requests

Username

Xylitol

Rank

Global Moderator

Posts

1706

Joined

Sat Apr 10, 2010 5:54 pm

Location

Seireitei, Soul Society

Contact