General
-
Target
62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
-
Size
24.3MB
-
Sample
220512-nwgs5sdbc7
-
MD5
0ed1010a80a3e115d7800f2618e8b7dc
-
SHA1
a00cc5b7c932b519d711731012bc4fba7be4e6bd
-
SHA256
62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
-
SHA512
adc1b2616a7b57fa70c2bf236e2034d6cd2d35ed005967db187a94806d20155df32beb920b54a443725b5684cec145a4102dff6c2a0a801b041a23b9ff3f941d
Static task
static1
Behavioral task
behavioral1
Sample
62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Targets
-
-
Target
62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
-
Size
24.3MB
-
MD5
0ed1010a80a3e115d7800f2618e8b7dc
-
SHA1
a00cc5b7c932b519d711731012bc4fba7be4e6bd
-
SHA256
62598bb2bcf8af2ca769137e1a4021256154a6430e95edc5ddee02c4891618a0
-
SHA512
adc1b2616a7b57fa70c2bf236e2034d6cd2d35ed005967db187a94806d20155df32beb920b54a443725b5684cec145a4102dff6c2a0a801b041a23b9ff3f941d
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
XMRig Miner Payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-