General
-
Target
new.exe
-
Size
537KB
-
Sample
220513-3ccgmscfd4
-
MD5
fd90281d178d673adf59c2426c44cd85
-
SHA1
5783ea81db8c0b13a7ca868a6e51b70b36de3583
-
SHA256
2d4512d92593a1b877d27dd4e1be680a2aca26e97c97a11789ce7c5d03abbf45
-
SHA512
57b008ebfecc93ba523d0d0eb7e7eb91e1b78091ccf02dadc52ce11a29cd9727eef777c6020dd54f8af16426d742baf4000c314faf1ee5fe8b8d120b216c69fe
Static task
static1
Malware Config
Extracted
limerat
3AtEv1cfnjjwnaXZKwxd8fV5xh2sx5qNob
-
aes_key
NYANCAT
-
antivm
true
-
c2_url
https://pastebin.com/raw/rmZm7wcd
-
delay
3
-
download_payload
false
-
install
true
-
install_name
698657.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\nin\
-
usb_spread
true
Targets
-
-
Target
new.exe
-
Size
537KB
-
MD5
fd90281d178d673adf59c2426c44cd85
-
SHA1
5783ea81db8c0b13a7ca868a6e51b70b36de3583
-
SHA256
2d4512d92593a1b877d27dd4e1be680a2aca26e97c97a11789ce7c5d03abbf45
-
SHA512
57b008ebfecc93ba523d0d0eb7e7eb91e1b78091ccf02dadc52ce11a29cd9727eef777c6020dd54f8af16426d742baf4000c314faf1ee5fe8b8d120b216c69fe
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-