General

  • Target

    15f4b6929cbee254d6c0e3c01ef9fea87429672c69f3d3cd7b5e660cba803417

  • Size

    1011KB

  • Sample

    220609-f4e1hsada8

  • MD5

    21f454b4d56bee3c48b258523e2070ab

  • SHA1

    954babe6641fcc124a7ad1260c41dda0b48fee18

  • SHA256

    15f4b6929cbee254d6c0e3c01ef9fea87429672c69f3d3cd7b5e660cba803417

  • SHA512

    ac93e9cd32c5f1b67f4be0452896ca2066b826a58041553b1a849087d77aed3d75bd7f8175aeec94bfd465921e8dd6bf5a42ded086b8e328d197fa5df4f5a0a8

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \Services\

  • usb_spread

    true

Targets

    • Target

      15f4b6929cbee254d6c0e3c01ef9fea87429672c69f3d3cd7b5e660cba803417

    • Size

      1011KB

    • MD5

      21f454b4d56bee3c48b258523e2070ab

    • SHA1

      954babe6641fcc124a7ad1260c41dda0b48fee18

    • SHA256

      15f4b6929cbee254d6c0e3c01ef9fea87429672c69f3d3cd7b5e660cba803417

    • SHA512

      ac93e9cd32c5f1b67f4be0452896ca2066b826a58041553b1a849087d77aed3d75bd7f8175aeec94bfd465921e8dd6bf5a42ded086b8e328d197fa5df4f5a0a8

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks