Malware Analysis Report

2024-11-16 13:09

Sample ID 220531-gkrqmsgaf5
Target 067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c
SHA256 067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c
Tags
limerat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c

Threat Level: Known bad

The file 067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c was found to be: Known bad.

Malicious Activity Summary

limerat persistence rat

LimeRAT

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-31 05:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-31 05:52

Reported

2022-05-31 07:57

Platform

win7-20220414-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
PID 1996 wrote to memory of 904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
PID 1996 wrote to memory of 904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe
PID 1996 wrote to memory of 904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe

Processes

C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe

"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c echo.

C:\Windows\system32\cmd.exe

cmd.exe /c exec.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"

C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe

"C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp

Files

memory/1932-54-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

memory/1144-55-0x0000000000000000-mapping.dmp

memory/2040-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

MD5 368e0f2c003376d3bdae1c71dd85ec70
SHA1 e5fa7b58cad7f5df6e3a7c2abeec16365ae17827
SHA256 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9
SHA512 e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

memory/1996-58-0x0000000000000000-mapping.dmp

memory/1996-60-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp

memory/1996-61-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

MD5 8d4fc7d9b7f9ae031db6ac350af49861
SHA1 a57c563cc8406ef2ea4a8ad94972f039f053026e
SHA256 3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796
SHA512 900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87

memory/1996-63-0x000007FEF3C60000-0x000007FEF4B3C000-memory.dmp

memory/1996-64-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp

memory/1996-66-0x00000000027F4000-0x00000000027F7000-memory.dmp

memory/1996-65-0x000007FEF6350000-0x000007FEF6402000-memory.dmp

memory/1996-67-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp

memory/1996-68-0x000007FEF62E0000-0x000007FEF6349000-memory.dmp

memory/1996-69-0x000007FEFA840000-0x000007FEFA872000-memory.dmp

memory/1996-70-0x000007FEF6110000-0x000007FEF61BA000-memory.dmp

memory/1996-71-0x000007FEF6020000-0x000007FEF6105000-memory.dmp

memory/1996-73-0x000007FEF5930000-0x000007FEF5B46000-memory.dmp

memory/904-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe

MD5 b799e179c6512cdea8fc1b60f3ea68e7
SHA1 fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512 a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33

memory/1996-75-0x000007FEF5F00000-0x000007FEF6018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1986620950\1986620950.exe

MD5 b799e179c6512cdea8fc1b60f3ea68e7
SHA1 fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512 a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33

memory/1996-76-0x000007FEF5B50000-0x000007FEF5E7E000-memory.dmp

memory/1996-79-0x000007FEF3230000-0x000007FEF3C53000-memory.dmp

memory/1996-78-0x000007FEF62A0000-0x000007FEF62DE000-memory.dmp

memory/1996-80-0x000007FEF6350000-0x000007FEF6402000-memory.dmp

memory/1996-81-0x000007FEF26D0000-0x000007FEF322D000-memory.dmp

memory/904-82-0x00000000757C1000-0x00000000757C3000-memory.dmp

memory/1996-83-0x000007FEF5930000-0x000007FEF5B46000-memory.dmp

memory/1996-84-0x000007FEF5630000-0x000007FEF579C000-memory.dmp

memory/1996-85-0x000007FEF1E80000-0x000007FEF2015000-memory.dmp

memory/1996-86-0x000007FEF2020000-0x000007FEF26C5000-memory.dmp

memory/1996-87-0x00000000027FB000-0x000000000281A000-memory.dmp

memory/1996-88-0x000007FEEE7B0000-0x000007FEEEFFB000-memory.dmp

memory/1996-89-0x000007FEF3C60000-0x000007FEF4B3C000-memory.dmp

memory/904-90-0x0000000073D10000-0x00000000742BB000-memory.dmp

memory/904-91-0x0000000072820000-0x0000000073318000-memory.dmp

memory/904-92-0x0000000072080000-0x000000007281C000-memory.dmp

memory/904-93-0x00000000739E0000-0x0000000073B7B000-memory.dmp

memory/904-94-0x0000000074640000-0x0000000074744000-memory.dmp

memory/904-95-0x0000000073850000-0x00000000739D8000-memory.dmp

memory/904-96-0x00000000714A0000-0x000000007207E000-memory.dmp

memory/904-97-0x0000000073750000-0x0000000073841000-memory.dmp

memory/904-98-0x0000000070F60000-0x0000000071496000-memory.dmp

memory/904-99-0x0000000073D10000-0x00000000742BB000-memory.dmp

memory/904-100-0x0000000072820000-0x0000000073318000-memory.dmp

memory/904-101-0x0000000072080000-0x000000007281C000-memory.dmp

memory/904-102-0x00000000739E0000-0x0000000073B7B000-memory.dmp

memory/904-103-0x0000000074640000-0x0000000074744000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-31 05:52

Reported

2022-05-31 07:57

Platform

win10v2004-20220414-en

Max time kernel

138s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe

"C:\Users\Admin\AppData\Local\Temp\067eb1294e4dd4b17b802236519c2147a4f3ba91cdcadd45a9bf8b3f6e2b742c.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c echo.

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c exec.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass -File ".\bits.ps1"

C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe

"C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe"

Network

Country Destination Domain Proto
NL 87.248.202.1:80 tcp
US 52.109.8.19:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 141.255.158.51:1177 tcp
NL 88.221.144.192:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
NL 13.69.109.131:443 tcp
FR 141.255.158.51:1177 tcp
US 204.79.197.203:80 tcp
NL 8.248.3.254:80 tcp
NL 8.248.3.254:80 tcp
US 8.251.167.126:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp
FR 141.255.158.51:1177 tcp

Files

memory/3180-131-0x0000000000000000-mapping.dmp

memory/2168-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\exec.bat

MD5 368e0f2c003376d3bdae1c71dd85ec70
SHA1 e5fa7b58cad7f5df6e3a7c2abeec16365ae17827
SHA256 84ab0b7013c706781f6839235d7d59cfad0874e4cc415aeaa4bf86a8dd99b0d9
SHA512 e3e2c9035fca632d04fd411c394301598e6b964d2ebd79db4fcf19816dd876ed23c51831382202d8f5335a0e4a8721d683c377bb1706e4faa4001387f843d553

memory/3044-134-0x0000000000000000-mapping.dmp

memory/3044-135-0x0000019CF1170000-0x0000019CF1192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bits.ps1

MD5 8d4fc7d9b7f9ae031db6ac350af49861
SHA1 a57c563cc8406ef2ea4a8ad94972f039f053026e
SHA256 3637dfa2d64efeaf36903e17bacd8f832dee3e6d12e3414fd55fed4311498796
SHA512 900e577c29f2976604805420ffd2fad6848657ba408e61dd8883bee55146ce229728527ebdbad2cf12b30b81232345e03761d02f1f0e2301de4de5154d2f6e87

memory/3044-137-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe

MD5 b799e179c6512cdea8fc1b60f3ea68e7
SHA1 fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512 a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33

memory/1744-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1762564580\1762564580.exe

MD5 b799e179c6512cdea8fc1b60f3ea68e7
SHA1 fd011070db46a5ba428d467b7a1596c186ea7b69
SHA256 182c2b7af53fe809c7b3bd3ea738108e20984e9bc982eb183c8311c5dd49640e
SHA512 a2301141126dc823b12485337834435dfb526bf339a8712d3ec1aab58e887092dec891eb5cca49aab0b487793d57ca8b3299f7350e31f1e7eba9e67ad0db5c33

memory/3044-141-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

memory/1744-142-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/1744-143-0x0000000073AF0000-0x00000000745F0000-memory.dmp

memory/1744-144-0x0000000073260000-0x0000000073A08000-memory.dmp

memory/1744-145-0x0000000074CF0000-0x00000000752A1000-memory.dmp

memory/1744-146-0x0000000073AF0000-0x00000000745F0000-memory.dmp

memory/1744-147-0x0000000073260000-0x0000000073A08000-memory.dmp