General

  • Target

    7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7

  • Size

    24.3MB

  • Sample

    220509-az39nabhb3

  • MD5

    006333f64f5d50611383c83a22a1a8dc

  • SHA1

    4949a5b34fdee0de7cc1e387403fe007faf412c0

  • SHA256

    7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7

  • SHA512

    92acf4b50a8d275ef4f23f425201db5b294db82f20676380ef1e454c642bfd1761d4e91ab6de09193ea874d86f04fd88f4e4004062d1206a2e9d6d6cbca0763b

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

njrat

Version

0.7d

Botnet

redlanhopto

C2

redlan.hopto.org:5553

Mutex

d25d360449d7bab3069e1b77b3a914a3

Attributes
  • reg_key

    d25d360449d7bab3069e1b77b3a914a3

  • splitter

    |'|'|

Targets

    • Target

      7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7

    • Size

      24.3MB

    • MD5

      006333f64f5d50611383c83a22a1a8dc

    • SHA1

      4949a5b34fdee0de7cc1e387403fe007faf412c0

    • SHA256

      7b63fa68cc38ec0a6e4dada4de7ebee462afe79453e968ae855001b2629ccec7

    • SHA512

      92acf4b50a8d275ef4f23f425201db5b294db82f20676380ef1e454c642bfd1761d4e91ab6de09193ea874d86f04fd88f4e4004062d1206a2e9d6d6cbca0763b

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

      suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks