General

  • Target

    DECL G50 EURL.xlsx

  • Size

    1.2MB

  • Sample

    210701-lbnp9djy16

  • MD5

    b97310e2ecc75a1ac5b7cf34503d1509

  • SHA1

    b34bd40fd5717e01cf5ba7cbe2bf8d5d8331783a

  • SHA256

    673d9ec17f2437917846f5ce799f30399d0739c9dd3e28d3d44b80b5f91de54f

  • SHA512

    e287c79a0cd275e232b3180fdf6b6c51b0c62285f5346d4ddd57e6c4e556cd1d033cef66d2939c3e7a7abd2867621fea5ba2cd52eae99db9a13acf3fa5fb22e9

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4pByu6u5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      DECL G50 EURL.xlsx

    • Size

      1.2MB

    • MD5

      b97310e2ecc75a1ac5b7cf34503d1509

    • SHA1

      b34bd40fd5717e01cf5ba7cbe2bf8d5d8331783a

    • SHA256

      673d9ec17f2437917846f5ce799f30399d0739c9dd3e28d3d44b80b5f91de54f

    • SHA512

      e287c79a0cd275e232b3180fdf6b6c51b0c62285f5346d4ddd57e6c4e556cd1d033cef66d2939c3e7a7abd2867621fea5ba2cd52eae99db9a13acf3fa5fb22e9

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Modifies system executable filetype association

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Change Default File Association

1
T1042

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks