General

  • Target

    new.exe

  • Size

    912KB

  • Sample

    220603-fyxndadcbq

  • MD5

    f1822828df8210dc62bf0eb28cc75dd5

  • SHA1

    67e071a64a32a9a2417603130e79f7cc0a192fbb

  • SHA256

    bf96da63e4b63f9077e70f7333b15174d5b9a5c19a04a3cd8a6ac7aa1dba15d4

  • SHA512

    b97fa97326279892a73f5940f89652edc87f9001302bbe2594eaf085de26248abe84c0202bbf6ea4e82aaa376e7207d1f0444e7a8762c86ae56b8790213315e3

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1LLUV51XQKqq94X965Cc6uGPXeZEGSqCdV

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4pByu6u5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      new.exe

    • Size

      912KB

    • MD5

      f1822828df8210dc62bf0eb28cc75dd5

    • SHA1

      67e071a64a32a9a2417603130e79f7cc0a192fbb

    • SHA256

      bf96da63e4b63f9077e70f7333b15174d5b9a5c19a04a3cd8a6ac7aa1dba15d4

    • SHA512

      b97fa97326279892a73f5940f89652edc87f9001302bbe2594eaf085de26248abe84c0202bbf6ea4e82aaa376e7207d1f0444e7a8762c86ae56b8790213315e3

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks