Analysis Overview
SHA256
158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c
Threat Level: Known bad
The file 158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-09 06:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-09 06:46
Reported
2022-06-09 12:04
Platform
win7-20220414-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2036 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe
"C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| CA | 23.249.161.100:80 | tcp |
Files
memory/2036-54-0x0000000000820000-0x00000000008BC000-memory.dmp
memory/2036-55-0x00000000021C0000-0x0000000002244000-memory.dmp
memory/2036-56-0x0000000000590000-0x00000000005C2000-memory.dmp
memory/2036-57-0x0000000000530000-0x0000000000556000-memory.dmp
memory/2036-58-0x0000000075C01000-0x0000000075C03000-memory.dmp
memory/2036-59-0x0000000000780000-0x000000000078C000-memory.dmp
memory/1944-60-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1944-61-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1944-63-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1944-64-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1944-65-0x0000000000408CDE-mapping.dmp
memory/1944-67-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1944-69-0x0000000000400000-0x000000000040C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-09 06:46
Reported
2022-06-09 12:04
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.url | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1708 set thread context of 4464 | N/A | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe
"C:\Users\Admin\AppData\Local\Temp\158bfb443a9ce4a699f2943c31ddab445147f49cd8459269e20c2a0a2f4c6e9c.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.238.23.254:80 | tcp | |
| US | 13.107.21.200:443 | tcp | |
| CA | 23.249.161.100:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 8.238.23.254:80 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp |
Files
memory/1708-130-0x00000000000B0000-0x000000000014C000-memory.dmp
memory/1708-131-0x0000000004C40000-0x0000000004CDC000-memory.dmp
memory/4464-132-0x0000000000000000-mapping.dmp
memory/4464-133-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4464-134-0x0000000004DF0000-0x0000000004E56000-memory.dmp
memory/4464-135-0x0000000005A00000-0x0000000005FA4000-memory.dmp
memory/4464-136-0x0000000006050000-0x00000000060E2000-memory.dmp