General

  • Target

    10A30B9776BB8981976FE678E4538E68C8FBBB0A57F34.exe

  • Size

    537KB

  • Sample

    210507-9pm4s6ydze

  • MD5

    e04ed1d1bfb04cb9a47a2f8b23613d3f

  • SHA1

    294287a158af747c67c2d12d2359c8968ca5bdfd

  • SHA256

    10a30b9776bb8981976fe678e4538e68c8fbbb0a57f34934978b3df7238be8d5

  • SHA512

    207165316fa0b18d36d2989b6ece2e0c1c8b3775171f2bb97b8ecea0a5c59c37f89f5af4fa2d4b580257a3a763c40708bc92a85464d7789ea6c5cbfa1e08fcc6

Malware Config

Extracted

Family

limerat

Wallets

1CUdxaF2Z2M9DewCbmhsJUwqDJCxMo7mcx

Attributes
  • aes_key

    NYAN

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/SkZ5tGQH

  • delay

    3

  • download_payload

    true

  • install

    true

  • install_name

    update.exe

  • main_folder

    AppData

  • payload_url

    http://bankschannelpub.com/wp-content/upgrade/dll.exe

  • pin_spread

    false

  • sub_folder

    \update\

  • usb_spread

    false

Extracted

Family

oski

C2

trafficbadassery.com/a/

Targets

    • Target

      10A30B9776BB8981976FE678E4538E68C8FBBB0A57F34.exe

    • Size

      537KB

    • MD5

      e04ed1d1bfb04cb9a47a2f8b23613d3f

    • SHA1

      294287a158af747c67c2d12d2359c8968ca5bdfd

    • SHA256

      10a30b9776bb8981976fe678e4538e68c8fbbb0a57f34934978b3df7238be8d5

    • SHA512

      207165316fa0b18d36d2989b6ece2e0c1c8b3775171f2bb97b8ecea0a5c59c37f89f5af4fa2d4b580257a3a763c40708bc92a85464d7789ea6c5cbfa1e08fcc6

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks