General

  • Target

    102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282

  • Size

    477KB

  • Sample

    220604-qg979aggc6

  • MD5

    db656d2e27d6498ff0fe5b390c00dcd9

  • SHA1

    e27a71fd4a9ae85806e45e3ec0f5e9e44f570bf6

  • SHA256

    102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282

  • SHA512

    0612c64bd68db820799cd5d27af58e9aaff6c800e35521789d28bb528e332d53a2b614fc5cd0e881fe2cade1870589b4d524a4d93cc51fac91c05b3f07cf54bf

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    33

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \Services\

  • usb_spread

    true

Targets

    • Target

      102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282

    • Size

      477KB

    • MD5

      db656d2e27d6498ff0fe5b390c00dcd9

    • SHA1

      e27a71fd4a9ae85806e45e3ec0f5e9e44f570bf6

    • SHA256

      102c40347d336ac6d2a49d957243d25040b6970fd54c0fb9e424c491317ce282

    • SHA512

      0612c64bd68db820799cd5d27af58e9aaff6c800e35521789d28bb528e332d53a2b614fc5cd0e881fe2cade1870589b4d524a4d93cc51fac91c05b3f07cf54bf

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks