General

  • Target

    1944-64-0x0000000000240000-0x000000000024C000-memory.dmp

  • Size

    48KB

  • Sample

    220511-qs3bsaged7

  • MD5

    3b1fe2f1d34b9813bb45f5e8f2741535

  • SHA1

    5a5bbb95d1857a360f15867d21aa0673003ae615

  • SHA256

    02225c3692a5794336838e89a10a96607fc4d58ce8c3a580d5cccc1ceb88631d

  • SHA512

    c2fa2ecd977c8322250b6c20c51398e6cde370495920c5f068d5a7d2e16b12b4adf08cd6cc91888eab75918579cae0882dfb30e0d7ad388a671ca408cd57db5a

Malware Config

Extracted

Family

limerat

Wallets

1CUdxaF2Z2M9DewCbmhsJUwqDJCxMo7mcx

Attributes
  • aes_key

    Hoty

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/PiamnzkF

  • delay

    3

  • download_payload

    true

  • install

    true

  • install_name

    AppStore.exe

  • main_folder

    AppData

  • payload_url

    http://www.avp.ie/dll.exe

  • pin_spread

    false

  • sub_folder

    \Apps Stores\

  • usb_spread

    false

Targets

    • Target

      1944-64-0x0000000000240000-0x000000000024C000-memory.dmp

    • Size

      48KB

    • MD5

      3b1fe2f1d34b9813bb45f5e8f2741535

    • SHA1

      5a5bbb95d1857a360f15867d21aa0673003ae615

    • SHA256

      02225c3692a5794336838e89a10a96607fc4d58ce8c3a580d5cccc1ceb88631d

    • SHA512

      c2fa2ecd977c8322250b6c20c51398e6cde370495920c5f068d5a7d2e16b12b4adf08cd6cc91888eab75918579cae0882dfb30e0d7ad388a671ca408cd57db5a

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine Payload

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks