General

  • Target

    6ef26da1b60b7ded9865e30a03062796.exe

  • Size

    268KB

  • Sample

    220608-wdevtsabgk

  • MD5

    6ef26da1b60b7ded9865e30a03062796

  • SHA1

    69022e9ac2104e3d0d61d916e485b39e0fdf9868

  • SHA256

    eb2ecf4e69565b73a8d8e0e482720d4cd53da84a12a4bbc3614ae8a140e9cec4

  • SHA512

    d22477daf5597d2c7d5e5432a29393eb1e1ccaf5f1f30dd39e910552cdd65dde206121dc0ad42c58f71c74975d66c3b48335a5e5963529110eed8c6d7e184bb5

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Admin

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/FkvEmWML

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    svhost.exe

  • main_folder

    UserProfile

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      6ef26da1b60b7ded9865e30a03062796.exe

    • Size

      268KB

    • MD5

      6ef26da1b60b7ded9865e30a03062796

    • SHA1

      69022e9ac2104e3d0d61d916e485b39e0fdf9868

    • SHA256

      eb2ecf4e69565b73a8d8e0e482720d4cd53da84a12a4bbc3614ae8a140e9cec4

    • SHA512

      d22477daf5597d2c7d5e5432a29393eb1e1ccaf5f1f30dd39e910552cdd65dde206121dc0ad42c58f71c74975d66c3b48335a5e5963529110eed8c6d7e184bb5

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks