General

  • Target

    28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa

  • Size

    1.1MB

  • Sample

    220511-cymavsdeh5

  • MD5

    0569b2a491d2f73afc5ba1e7c23d311c

  • SHA1

    c325b46fd4e64c2cd6fb21f4d6b031e76050f89b

  • SHA256

    28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa

  • SHA512

    e7d1e4947a57b5a3636ffd91a0a63a42928bec44dd317030f97a18cd60998f8a2a65bdfaf2a94a399e62c9fef63e5d90582a9ba8fe372b149137bfe62046d0f4

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa

    • Size

      1.1MB

    • MD5

      0569b2a491d2f73afc5ba1e7c23d311c

    • SHA1

      c325b46fd4e64c2cd6fb21f4d6b031e76050f89b

    • SHA256

      28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa

    • SHA512

      e7d1e4947a57b5a3636ffd91a0a63a42928bec44dd317030f97a18cd60998f8a2a65bdfaf2a94a399e62c9fef63e5d90582a9ba8fe372b149137bfe62046d0f4

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks