Malware Analysis Report

2024-11-16 13:09

Sample ID 220524-zv1emsgbb5
Target 50a3280dc04e49d606eac471f8179541638cbe3ea189caa6ecf332890ca2d72d
SHA256 50a3280dc04e49d606eac471f8179541638cbe3ea189caa6ecf332890ca2d72d
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50a3280dc04e49d606eac471f8179541638cbe3ea189caa6ecf332890ca2d72d

Threat Level: Known bad

The file 50a3280dc04e49d606eac471f8179541638cbe3ea189caa6ecf332890ca2d72d was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Limerat family

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-24 21:03

Signatures

Limerat family

limerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 21:03

Reported

2022-05-24 21:05

Platform

win7-20220414-en

Max time kernel

122s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cheats.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cheats.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cheats.exe

"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 172.67.34.170:443 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp
US 104.20.67.143:443 pastebin.com tcp
RU 31.180.133.80:4298 tcp
RU 31.180.133.80:4298 tcp

Files

memory/1836-54-0x0000000000E00000-0x0000000000E2E000-memory.dmp

memory/1836-55-0x0000000074F91000-0x0000000074F93000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 21:03

Reported

2022-05-24 21:05

Platform

win10v2004-20220414-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cheats.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cheats.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cheats.exe

"C:\Users\Admin\AppData\Local\Temp\Cheats.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
RU 31.180.133.80:4298 tcp
NL 104.97.14.81:80 tcp
RU 31.180.133.80:4298 tcp
IE 20.54.110.249:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
RU 31.180.133.80:4298 tcp
US 20.42.65.89:443 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp
RU 31.180.133.80:4298 tcp
GB 92.123.143.240:80 tcp
FR 2.18.109.224:443 tcp
RU 31.180.133.80:4298 tcp
RU 31.180.133.80:4298 tcp
NL 104.123.41.133:80 tcp
NL 104.123.41.133:80 tcp
NL 104.123.41.133:80 tcp
NL 104.123.41.133:80 tcp
NL 104.123.41.133:80 tcp
NL 104.123.41.133:80 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp

Files

memory/3124-130-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

memory/3124-131-0x0000000005970000-0x0000000005A0C000-memory.dmp

memory/3124-132-0x0000000005A70000-0x0000000005AD6000-memory.dmp

memory/3124-133-0x0000000006790000-0x0000000006D34000-memory.dmp