General

  • Target

    d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953

  • Size

    7.7MB

  • Sample

    220604-w7p8nafafp

  • MD5

    e0fbfe477ea9736b977e435af868c5af

  • SHA1

    9e4076c8eaaa3c9f9b45438aee7cb499af7c57df

  • SHA256

    d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953

  • SHA512

    d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    xdolphins

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/eZc9Bibi

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Windows10.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \wind10\

  • usb_spread

    true

Extracted

Family

njrat

Version

0.7d

Botnet

dynu

C2

houdinicasa.mywire.org:5553

Mutex

8ddba2dd825a33df9c4d0997a7ba9033

Attributes
  • reg_key

    8ddba2dd825a33df9c4d0997a7ba9033

  • splitter

    |'|'|

Extracted

Family

cybergate

Version

v1.05.1

Botnet

cactus

C2

todoaqui.duckdns.org:1978

guarderia1.mywire.org:1554

prueba2.hopto.org:1553

Mutex

J6DSA521SHC5O5

Attributes
  • enable_keylogger

    true

  • enable_message_box

    false

  • ftp_directory

    ./logs/

  • ftp_interval

    30

  • injected_process

    explorer.exe

  • install_dir

    SkypeUpdate

  • install_file

    Skype.exe

  • install_flag

    false

  • keylogger_enable_ftp

    false

  • message_box_caption

    Remote Administration anywhere in the world.

  • message_box_title

    CyberGate

  • password

    12345

  • regkey_hkcu

    Adobefinder

Targets

    • Target

      d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953

    • Size

      7.7MB

    • MD5

      e0fbfe477ea9736b977e435af868c5af

    • SHA1

      9e4076c8eaaa3c9f9b45438aee7cb499af7c57df

    • SHA256

      d08eee4f0003e97926964fc8ae161b578fbc6e2367dcdc96dc38635c87004953

    • SHA512

      d6e12913a34ce0940eb020b2b77dee1bf681587e1ef6832f2c4c00e4e0d334d44502d1d77781b21e94082a4f7471abe4c6931db1168b81ffd7c9ab3535e46962

    • CyberGate, Rebhip

      CyberGate is a lightweight remote administration tool with a wide array of functionalities.

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks