General
-
Target
b1a6bd454f8e723bd8f1b856b336c844.exe
-
Size
13.4MB
-
Sample
220506-hts6hacafn
-
MD5
b1a6bd454f8e723bd8f1b856b336c844
-
SHA1
e50b78534ab2761b9f654333f81be3a60f736eb9
-
SHA256
d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
-
SHA512
2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80
Static task
static1
Behavioral task
behavioral1
Sample
b1a6bd454f8e723bd8f1b856b336c844.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
-
aes_key
1234
-
antivm
true
-
c2_url
https://pastebin.com/raw/nFP8Nq0E
-
delay
3
-
download_payload
false
-
install
true
-
install_name
whitelistcheck.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Targets
-
-
Target
b1a6bd454f8e723bd8f1b856b336c844.exe
-
Size
13.4MB
-
MD5
b1a6bd454f8e723bd8f1b856b336c844
-
SHA1
e50b78534ab2761b9f654333f81be3a60f736eb9
-
SHA256
d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
-
SHA512
2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80
-
Modifies security service
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
XMRig Miner Payload
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-