Overview

overview

10

Static

static

DECL G50 EURL.xlsx

windows7_x64

10

DECL G50 EURL.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DECL G50 EURL.xlsx

  • Size

    1.2MB

  • Sample

    210701-lbnp9djy16

  • MD5

    b97310e2ecc75a1ac5b7cf34503d1509

  • SHA1

    b34bd40fd5717e01cf5ba7cbe2bf8d5d8331783a

  • SHA256

    673d9ec17f2437917846f5ce799f30399d0739c9dd3e28d3d44b80b5f91de54f

  • SHA512

    e287c79a0cd275e232b3180fdf6b6c51b0c62285f5346d4ddd57e6c4e556cd1d033cef66d2939c3e7a7abd2867621fea5ba2cd52eae99db9a13acf3fa5fb22e9

Score
10/10
limeratpersistenceratspywarestealer

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4pByu6u5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      DECL G50 EURL.xlsx

    • Size

      1.2MB

    • MD5

      b97310e2ecc75a1ac5b7cf34503d1509

    • SHA1

      b34bd40fd5717e01cf5ba7cbe2bf8d5d8331783a

    • SHA256

      673d9ec17f2437917846f5ce799f30399d0739c9dd3e28d3d44b80b5f91de54f

    • SHA512

      e287c79a0cd275e232b3180fdf6b6c51b0c62285f5346d4ddd57e6c4e556cd1d033cef66d2939c3e7a7abd2867621fea5ba2cd52eae99db9a13acf3fa5fb22e9

    Score
    10/10
    limeratpersistenceratspywarestealer

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Modifies system executable filetype association

      persistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks