General

  • Target

    158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c

  • Size

    595KB

  • Sample

    220609-hjng9sdcg8

  • MD5

    36a64e97c0958e5a5497d2b2201ca47b

  • SHA1

    926358ae52ace4b717122d799ee3b2ad31cefaf6

  • SHA256

    158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c

  • SHA512

    e1b4d339947f743d5c45566c14be293fd6c427ba0ed9c4ad3e7f275e31e58e9bfd06b442b9d6009b745e0c91d91dee4e8b83280ee68f102b3d7fc74bf3b9dda2

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8

Attributes
  • aes_key

    arglobal

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/CV5RHE9G

  • delay

    3

  • download_payload

    true

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    AppData

  • payload_url

    http://23.249.161.100/zaher/zahr.exe

  • pin_spread

    false

  • sub_folder

    \vbc\

  • usb_spread

    false

Targets

    • Target

      158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c

    • Size

      595KB

    • MD5

      36a64e97c0958e5a5497d2b2201ca47b

    • SHA1

      926358ae52ace4b717122d799ee3b2ad31cefaf6

    • SHA256

      158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c

    • SHA512

      e1b4d339947f743d5c45566c14be293fd6c427ba0ed9c4ad3e7f275e31e58e9bfd06b442b9d6009b745e0c91d91dee4e8b83280ee68f102b3d7fc74bf3b9dda2

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks