Overview

overview

10

Static

static

3048 - IN2...DF.scr

windows7_x64

10

3048 - IN2...DF.scr

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

  • Size

    616KB

  • Sample

    210927-bkb3asfeb6

  • MD5

    2f79e1ce8c8dde93cf2664eab439b767

  • SHA1

    b294ba2284d45bfdaa842dd133c6c07f73bdc42d

  • SHA256

    55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0

  • SHA512

    0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f

Score
10/10
limeratevasionrat

Malware Config

Extracted

Family

limerat

Wallets

bc1qe88ygu7xcv94gtk6wdnkhks5dpchwnvasjr4pf

Attributes
  • aes_key

    lime

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/d2wuKbQW

  • delay

    4

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr

    • Size

      616KB

    • MD5

      2f79e1ce8c8dde93cf2664eab439b767

    • SHA1

      b294ba2284d45bfdaa842dd133c6c07f73bdc42d

    • SHA256

      55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0

    • SHA512

      0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f

    Score
    10/10
    limeratevasionrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks