General

  • Target

    new.exe

  • Size

    537KB

  • Sample

    220513-3ccgmscfd4

  • MD5

    fd90281d178d673adf59c2426c44cd85

  • SHA1

    5783ea81db8c0b13a7ca868a6e51b70b36de3583

  • SHA256

    2d4512d92593a1b877d27dd4e1be680a2aca26e97c97a11789ce7c5d03abbf45

  • SHA512

    57b008ebfecc93ba523d0d0eb7e7eb91e1b78091ccf02dadc52ce11a29cd9727eef777c6020dd54f8af16426d742baf4000c314faf1ee5fe8b8d120b216c69fe

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

3AtEv1cfnjjwnaXZKwxd8fV5xh2sx5qNob

Attributes
  • aes_key

    NYANCAT

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/rmZm7wcd

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    698657.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \nin\

  • usb_spread

    true

Targets

    • Target

      new.exe

    • Size

      537KB

    • MD5

      fd90281d178d673adf59c2426c44cd85

    • SHA1

      5783ea81db8c0b13a7ca868a6e51b70b36de3583

    • SHA256

      2d4512d92593a1b877d27dd4e1be680a2aca26e97c97a11789ce7c5d03abbf45

    • SHA512

      57b008ebfecc93ba523d0d0eb7e7eb91e1b78091ccf02dadc52ce11a29cd9727eef777c6020dd54f8af16426d742baf4000c314faf1ee5fe8b8d120b216c69fe

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks