General
-
Target
28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa
-
Size
1.1MB
-
Sample
220511-cymavsdeh5
-
MD5
0569b2a491d2f73afc5ba1e7c23d311c
-
SHA1
c325b46fd4e64c2cd6fb21f4d6b031e76050f89b
-
SHA256
28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa
-
SHA512
e7d1e4947a57b5a3636ffd91a0a63a42928bec44dd317030f97a18cd60998f8a2a65bdfaf2a94a399e62c9fef63e5d90582a9ba8fe372b149137bfe62046d0f4
Static task
static1
Behavioral task
behavioral1
Sample
28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Targets
-
-
Target
28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa
-
Size
1.1MB
-
MD5
0569b2a491d2f73afc5ba1e7c23d311c
-
SHA1
c325b46fd4e64c2cd6fb21f4d6b031e76050f89b
-
SHA256
28d0fc1e6bb1e9e8bc56814baa81140635a3b37cf9fa81924441151bb13949fa
-
SHA512
e7d1e4947a57b5a3636ffd91a0a63a42928bec44dd317030f97a18cd60998f8a2a65bdfaf2a94a399e62c9fef63e5d90582a9ba8fe372b149137bfe62046d0f4
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-