General

  • Target

    bf4cd2f5d664e2a8d60f411dce8359b6.exe

  • Size

    190KB

  • Sample

    220521-t5nkyaddfp

  • MD5

    bf4cd2f5d664e2a8d60f411dce8359b6

  • SHA1

    1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef

  • SHA256

    57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092

  • SHA512

    437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890

Malware Config

Extracted

Family

limerat

Wallets

bc1quxey9qaznc2p3yjkerld76m3ktpewnh7m5ahpt

Attributes
  • aes_key

    103010

  • antivm

    true

  • c2_url

    https://agleamoda.000webhostapp.com/link.html

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      bf4cd2f5d664e2a8d60f411dce8359b6.exe

    • Size

      190KB

    • MD5

      bf4cd2f5d664e2a8d60f411dce8359b6

    • SHA1

      1f6dce3eaef268dc95e1c61bcda025a5f46bc5ef

    • SHA256

      57638abb65ee04cbd560abcddb83414f992551282310ed4659c74b0687027092

    • SHA512

      437bf91698dbd44fde048bcf0ea8c91c56eea0693e45a79c8079c6e5ecdc61c82ac28190dd767e87e5e047877a345ed1fc3db7a09ca45a03805877bda1396890

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Tasks