Overview

overview

10

Static

static

DOC29309.exe

windows7_x64

10

DOC29309.exe

windows10-2004_x64

6

DOC30039.exe

windows7_x64

10

DOC30039.exe

windows10-2004_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f47e8cf02f856c487fd8f832ba0de87778eeb4e8bcb405407b4145b2050879e7

  • Size

    1.2MB

  • Sample

    220521-prennabahj

  • MD5

    539e1051ca625b5e4fd0fc24bce51536

  • SHA1

    ce44eac8d1ebb35cf54ad0f89034685223e90b3a

  • SHA256

    f47e8cf02f856c487fd8f832ba0de87778eeb4e8bcb405407b4145b2050879e7

  • SHA512

    3cf6c73444ddc4ac84b4f47b57763f074f221781e9347563487f63b4e3eaec34ba58fa73954c97174a96f8b36ce7d66dbf5d203af891e83172dd9df1aea9d64b

Score
10/10
404keyloggerlimeratcollectionkeyloggerpersistenceratspywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ionos.es
  • Port:
    587
  • Username:
    b.goicoechea@amyavigo.es
  • Password:
    75457545bg

Extracted

Family

limerat

Wallets

1LYXfE3ZfhsvvuTfAC7kasRQD4EnwgoeJx

Attributes
  • aes_key

    0000000000000000

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/84gGtTLk

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Targets

    • Target

      DOC29309.EXE

    • Size

      283KB

    • MD5

      92b37680ac5c24374bafb7db5be4fd0a

    • SHA1

      df08457d10f1ffea52d7115d5b0a498509e5a72a

    • SHA256

      f5ce2ee6334c46aae1d42e65626227232ca319a3a4c7e6388df99b0bc7da646e

    • SHA512

      4e05d6e3c0f7aa45de04c508db58476c9a7ab9a52fc6d9d59874193c8629b4bba3e430b6c1096fdd6952e794893699e2143fc0918e833ad1f92dacde9817d9fb

    Score
    10/10
    404keyloggercollectionkeyloggerpersistencespywarestealer

    • 404 Keylogger

      Information stealer and keylogger first seen in 2019.

      stealerkeylogger404keylogger

    • 404 Keylogger Main Executable

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      DOC30039.EXE

    • Size

      295KB

    • MD5

      60c0778625ff004c0189cb7af4634e69

    • SHA1

      383d1e456c253dd108bd70d75e225d6e8d72d4ed

    • SHA256

      a1a937a1fc9c9b0cafc877fae326d61f3ee3d0574f04da24fa490caff6a6b7cf

    • SHA512

      39b5b9762116c62ce800a175459472c3fe55e33b21673643a4e1d1623e46e55d19d94a738ed9dc558939e6af9ce0569dce921bd6e17b5e5c1d760d1cba1ed0e8

    Score
    10/10
    limeratpersistencerat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks