General

  • Target

    160054467ff97cc397fce9eddc6ce8a27d24320d45ccb3a8c8ba2a28ccbc6b79

  • Size

    528KB

  • Sample

    220609-fx5ycsaae5

  • MD5

    843cf9b98774aa08fbedf337a701b330

  • SHA1

    38fff437be1ea45bc006c5f4c9494fc569ea0c85

  • SHA256

    160054467ff97cc397fce9eddc6ce8a27d24320d45ccb3a8c8ba2a28ccbc6b79

  • SHA512

    ff06a25534bc47df4ce01213fd28322897fd60df5ee9cf7347bf86df4d520283f098e39e9a76dd190c3d2a04d10d1d9561c5349d7d13c738ab824c1778ec12ab

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    dango123

  • antivm

    false

  • c2_url

    http://pastebin.com/raw/fNC8bGwb

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    app.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \app\

  • usb_spread

    true

Targets

    • Target

      160054467ff97cc397fce9eddc6ce8a27d24320d45ccb3a8c8ba2a28ccbc6b79

    • Size

      528KB

    • MD5

      843cf9b98774aa08fbedf337a701b330

    • SHA1

      38fff437be1ea45bc006c5f4c9494fc569ea0c85

    • SHA256

      160054467ff97cc397fce9eddc6ce8a27d24320d45ccb3a8c8ba2a28ccbc6b79

    • SHA512

      ff06a25534bc47df4ce01213fd28322897fd60df5ee9cf7347bf86df4d520283f098e39e9a76dd190c3d2a04d10d1d9561c5349d7d13c738ab824c1778ec12ab

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks