General

  • Target

    new.exe

  • Size

    561KB

  • Sample

    220514-aeny8schg7

  • MD5

    6e2b77a2edd79a37179b04c25749a747

  • SHA1

    f3cae0f612069aa8aeff59c49f8dc577283078b7

  • SHA256

    5d9b7ffa807488d66b06c02688e1d97814821708145a08badd6cb780453c7c42

  • SHA512

    c59f03744b42be806f95449fe19dd33fe50091cb0af41e7e632a94536625cd57cee279b86a74924f678b99227c898aa665ce761f4353ff4f12d3c224455167a9

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

3AtEv1cfnjjwnaXZKwxd8fV5xh2sx5qNob

Attributes
  • aes_key

    NYANCAT

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/rmZm7wcd

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    698657.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \nin\

  • usb_spread

    true

Targets

    • Target

      new.exe

    • Size

      561KB

    • MD5

      6e2b77a2edd79a37179b04c25749a747

    • SHA1

      f3cae0f612069aa8aeff59c49f8dc577283078b7

    • SHA256

      5d9b7ffa807488d66b06c02688e1d97814821708145a08badd6cb780453c7c42

    • SHA512

      c59f03744b42be806f95449fe19dd33fe50091cb0af41e7e632a94536625cd57cee279b86a74924f678b99227c898aa665ce761f4353ff4f12d3c224455167a9

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks