General
-
Target
new.exe
-
Size
561KB
-
Sample
220514-aeny8schg7
-
MD5
6e2b77a2edd79a37179b04c25749a747
-
SHA1
f3cae0f612069aa8aeff59c49f8dc577283078b7
-
SHA256
5d9b7ffa807488d66b06c02688e1d97814821708145a08badd6cb780453c7c42
-
SHA512
c59f03744b42be806f95449fe19dd33fe50091cb0af41e7e632a94536625cd57cee279b86a74924f678b99227c898aa665ce761f4353ff4f12d3c224455167a9
Static task
static1
Malware Config
Extracted
limerat
3AtEv1cfnjjwnaXZKwxd8fV5xh2sx5qNob
-
aes_key
NYANCAT
-
antivm
true
-
c2_url
https://pastebin.com/raw/rmZm7wcd
-
delay
3
-
download_payload
false
-
install
true
-
install_name
698657.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\nin\
-
usb_spread
true
Targets
-
-
Target
new.exe
-
Size
561KB
-
MD5
6e2b77a2edd79a37179b04c25749a747
-
SHA1
f3cae0f612069aa8aeff59c49f8dc577283078b7
-
SHA256
5d9b7ffa807488d66b06c02688e1d97814821708145a08badd6cb780453c7c42
-
SHA512
c59f03744b42be806f95449fe19dd33fe50091cb0af41e7e632a94536625cd57cee279b86a74924f678b99227c898aa665ce761f4353ff4f12d3c224455167a9
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-