General

  • Target

    7719ad9b0562f347fc8096f76f7a085d21c2285afee4ff1d96977be0a25868e4

  • Size

    1.1MB

  • Sample

    220511-cyhmnsgcgm

  • MD5

    2d768a20d0d4979a7fb7d038081328b6

  • SHA1

    8a25e11047af6310bfeb933cbb57d30d61e6b11d

  • SHA256

    7719ad9b0562f347fc8096f76f7a085d21c2285afee4ff1d96977be0a25868e4

  • SHA512

    698015ee9ed4d357f33fb0e066212d264ce8e281f79ff3aa50ada0193adb397994df83ed42d0ad2878ec0e3aed8fd1b5b5ee9ac242e1d11e6367c66ec8ca0dbf

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      7719ad9b0562f347fc8096f76f7a085d21c2285afee4ff1d96977be0a25868e4

    • Size

      1.1MB

    • MD5

      2d768a20d0d4979a7fb7d038081328b6

    • SHA1

      8a25e11047af6310bfeb933cbb57d30d61e6b11d

    • SHA256

      7719ad9b0562f347fc8096f76f7a085d21c2285afee4ff1d96977be0a25868e4

    • SHA512

      698015ee9ed4d357f33fb0e066212d264ce8e281f79ff3aa50ada0193adb397994df83ed42d0ad2878ec0e3aed8fd1b5b5ee9ac242e1d11e6367c66ec8ca0dbf

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks