General
-
Target
939fdda6ea1541cbb3f2e4881a34efe84f105a068409cf138f8e55ce00b4656b
-
Size
24.3MB
-
Sample
220509-az15asbhb2
-
MD5
03677801f4bbbc019f18312078c6582f
-
SHA1
2b5d2a2e04a27f9a8c8eb738ffdc8b9cb740fc14
-
SHA256
939fdda6ea1541cbb3f2e4881a34efe84f105a068409cf138f8e55ce00b4656b
-
SHA512
bfbe2346d106d01389aee1b896e1a01df7e202c05790fe08f4b450b276d907eca7757cf874d39e879dbba63acc63b08dd2b89058a932aa4a41a98aff8288bad6
Static task
static1
Behavioral task
behavioral1
Sample
939fdda6ea1541cbb3f2e4881a34efe84f105a068409cf138f8e55ce00b4656b.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Targets
-
-
Target
939fdda6ea1541cbb3f2e4881a34efe84f105a068409cf138f8e55ce00b4656b
-
Size
24.3MB
-
MD5
03677801f4bbbc019f18312078c6582f
-
SHA1
2b5d2a2e04a27f9a8c8eb738ffdc8b9cb740fc14
-
SHA256
939fdda6ea1541cbb3f2e4881a34efe84f105a068409cf138f8e55ce00b4656b
-
SHA512
bfbe2346d106d01389aee1b896e1a01df7e202c05790fe08f4b450b276d907eca7757cf874d39e879dbba63acc63b08dd2b89058a932aa4a41a98aff8288bad6
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
XMRig Miner Payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-