General
-
Target
3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
-
Size
616KB
-
Sample
210927-bkb3asfeb6
-
MD5
2f79e1ce8c8dde93cf2664eab439b767
-
SHA1
b294ba2284d45bfdaa842dd133c6c07f73bdc42d
-
SHA256
55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0
-
SHA512
0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f
Malware Config
Extracted
limerat
bc1qe88ygu7xcv94gtk6wdnkhks5dpchwnvasjr4pf
-
aes_key
lime
-
antivm
true
-
c2_url
https://pastebin.com/raw/d2wuKbQW
-
delay
4
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Targets
-
-
Target
3048 - IN2 STYLE - 21.09.2021.doc - PROFORMA INV.PDF.scr
-
Size
616KB
-
MD5
2f79e1ce8c8dde93cf2664eab439b767
-
SHA1
b294ba2284d45bfdaa842dd133c6c07f73bdc42d
-
SHA256
55a7e512b86fee0bce3567e636c158a51fda03df1a2956cc2f20603e1c68a3d0
-
SHA512
0e9ab1f5c65dc51054b81d2ab0b8fefbefbe9c8f0b06efb1c710421e1e875f60e81d1612a25e42ac4d60a189708efa238e036258a86b24c7d5470bf4a0d75a0f
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-