General

  • Target

    2b38356a2ffe12979669044ce1dd2fa2.exe

  • Size

    213KB

  • Sample

    220511-qp3s5sged4

  • MD5

    2b38356a2ffe12979669044ce1dd2fa2

  • SHA1

    5a35c5deeec0d1ed7b4b91857539c0a802e68b91

  • SHA256

    951337ef30b8c0940e630f56187954653fb03de3cbc9367e75d68d9432126fa4

  • SHA512

    00293601f67a868793049f54a543ce6cec78c33d088a2a5f7bbff88079823828a4d183ff737f86c8425d45aeb8af5a3c3e6d43c328384358d595cee985a89e34

Malware Config

Extracted

Family

limerat

Wallets

1CUdxaF2Z2M9DewCbmhsJUwqDJCxMo7mcx

Attributes
  • aes_key

    Hoty

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/PiamnzkF

  • delay

    3

  • download_payload

    true

  • install

    true

  • install_name

    AppStore.exe

  • main_folder

    AppData

  • payload_url

    http://www.avp.ie/dll.exe

  • pin_spread

    false

  • sub_folder

    \Apps Stores\

  • usb_spread

    false

Targets

    • Target

      2b38356a2ffe12979669044ce1dd2fa2.exe

    • Size

      213KB

    • MD5

      2b38356a2ffe12979669044ce1dd2fa2

    • SHA1

      5a35c5deeec0d1ed7b4b91857539c0a802e68b91

    • SHA256

      951337ef30b8c0940e630f56187954653fb03de3cbc9367e75d68d9432126fa4

    • SHA512

      00293601f67a868793049f54a543ce6cec78c33d088a2a5f7bbff88079823828a4d183ff737f86c8425d45aeb8af5a3c3e6d43c328384358d595cee985a89e34

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks