bf4cd2f5d664e2a8d60f411dce8359b6.exe

General
Target

bf4cd2f5d664e2a8d60f411dce8359b6.exe

Size

190KB

Sample

220521-t5c47sddfm

Score
10 /10
MD5

bf4cd2f5d664e2a8d60f411dce8359b6

SHA1

1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef

SHA256

57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092

SHA512

437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890

Malware Config

Extracted

Family limerat
Wallets

bc1quxey9qaznc2p3yjkerld76m3ktpewnh7m5ahpt

Attributes
aes_key
103010
antivm
true
c2_url
https://agleamoda.000webhostapp.com/link.html
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true
Targets
Target

bf4cd2f5d664e2a8d60f411dce8359b6.exe

MD5

bf4cd2f5d664e2a8d60f411dce8359b6

Filesize

190KB

Score
10/10
SHA1

1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef

SHA256

57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092

SHA512

437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890

Tags

Signatures

  • LimeRAT

    Description

    Simple yet powerful RAT for Windows machines written in .NET.

    Tags

  • Modifies system executable filetype association

    Tags

    TTPs

    Modify RegistryChange Default File Association
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    Tags

  • Executes dropped EXE

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Tasks