General

  • Target

    151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992

  • Size

    221KB

  • Sample

    220609-j9yatscehn

  • MD5

    5c6cf3b4fb665a40ca0ad6d282dac06f

  • SHA1

    8e28d1d028e895d48010b2294add08bf10f2f808

  • SHA256

    151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992

  • SHA512

    37a9c7059f96dcfb7de29e98de0ee149d07738577800d9f71467dbd1faf09dfecc4a07cc6d76b688c15751b587bf1efc31e0934db0e313ed4df87b08e9ce6baa

Score
10/10

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Admin

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/jh5drnd9

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Targets

    • Target

      151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992

    • Size

      221KB

    • MD5

      5c6cf3b4fb665a40ca0ad6d282dac06f

    • SHA1

      8e28d1d028e895d48010b2294add08bf10f2f808

    • SHA256

      151f926c9c343e82fbe5b92a3d33997a3ed92f3d71b7e18665c4cdfdde47e992

    • SHA512

      37a9c7059f96dcfb7de29e98de0ee149d07738577800d9f71467dbd1faf09dfecc4a07cc6d76b688c15751b587bf1efc31e0934db0e313ed4df87b08e9ce6baa

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks