limerat | a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f | Triage

Submit
Reports

Overview

overview

Static

static

a0a3bc0722...0f.exe

windows7_x64

a0a3bc0722...0f.exe

windows10-2004_x64

Sharing

General

Target

a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
Size

592KB
Sample

220524-d7kztsedf4
MD5

cb6e4575662be7979855943c528f8dcb
SHA1

3117b905dead7a714ca0d8edd2a643e1a3dffda9
SHA256

a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
SHA512

fe7b591a06f68598bd1e7f18d66c7de4400d261acb8ee141db675116b08bb197de7520764ddeb01e9bc60618e5daeefe31c60cfdb124bb060a61a5d3f3909b00

Score

10^/10

limerat neshta njrat hacked agilenet evasion persistence rat spyware trojan

Static task

static1

Behavioral task

behavioral1

Sample

a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f.exe

Resource

win7-20220414-en

limerat neshta njrat hacked agilenet evasion persistence rat spyware trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f.exe

Resource

win10v2004-20220414-en

neshta agilenet evasion persistence spyware

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://chopa.mywire.org/f.jpg

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
33
download_payload
false
install
true
install_name
Monitor.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

81.61.77.92:5553

Mutex

c34d2dcb6f6ef032823fc192432ddb99

Attributes

reg_key
c34d2dcb6f6ef032823fc192432ddb99
splitter
|'|'|

Targets

- Target
  
  a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
- Size
  
  592KB
- MD5
  
  cb6e4575662be7979855943c528f8dcb
- SHA1
  
  3117b905dead7a714ca0d8edd2a643e1a3dffda9
- SHA256
  
  a0a3bc07227d7169a697f3aff430ff62af3d856802551fc0d63c1e0e1e45820f
- SHA512
  
  fe7b591a06f68598bd1e7f18d66c7de4400d261acb8ee141db675116b08bb197de7520764ddeb01e9bc60618e5daeefe31c60cfdb124bb060a61a5d3f3909b00
Score

10^/10

limerat neshta njrat hacked agilenet evasion persistence rat spyware trojan
- Detect Neshta Payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies system executable filetype association
  persistence
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Change Default File Association

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

limeratneshtanjrathackedagilenetevasionpersistenceratspywaretrojan

behavioral2

neshtaagilenetevasionpersistencespyware

© 2018-2024

Terms | Privacy