General
-
Target
d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
-
Size
7.7MB
-
Sample
220604-w7p8nafafp
-
MD5
e0fbfe477ea9736b977e435af868c5af
-
SHA1
9e4076c8eaaa3c9f9b45438aee7cb499af7c57df
-
SHA256
d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
-
SHA512
d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962
Static task
static1
Behavioral task
behavioral1
Sample
d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
xdolphins
-
antivm
false
-
c2_url
https://pastebin.com/raw/eZc9Bibi
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Windows10.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\wind10\
-
usb_spread
true
Extracted
njrat
0.7d
dynu
houdinicasa.mywire.org:5553
8ddba2dd825a33df9c4d0997a7ba9033
-
reg_key
8ddba2dd825a33df9c4d0997a7ba9033
-
splitter
|'|'|
Extracted
cybergate
v1.05.1
cactus
todoaqui.duckdns.org:1978
guarderia1.mywire.org:1554
prueba2.hopto.org:1553
J6DSA521SHC5O5
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
SkypeUpdate
-
install_file
Skype.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
12345
-
regkey_hkcu
Adobefinder
Targets
-
-
Target
d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
-
Size
7.7MB
-
MD5
e0fbfe477ea9736b977e435af868c5af
-
SHA1
9e4076c8eaaa3c9f9b45438aee7cb499af7c57df
-
SHA256
d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953
-
SHA512
d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-