General
-
Target
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
-
Size
61KB
-
Sample
220612-mb62vsggbp
-
MD5
bb2de5629dfeb812b45fb00a6fbadf4e
-
SHA1
e3a3642264eae88eba72c67933057f2dfc2dd2b6
-
SHA256
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
-
SHA512
3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d
Static task
static1
Behavioral task
behavioral1
Sample
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf.exe
Resource
win7-20220414-en
Malware Config
Extracted
limerat
1d15EibWVaZg8KADH1wR5phqhtyhbbdCc
-
aes_key
batata1
-
antivm
true
-
c2_url
https://pastebin.com/raw/hqkeiAWx
-
delay
3
-
download_payload
false
-
install
true
-
install_name
twvrsvc.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\TeamViewer\
-
usb_spread
true
Targets
-
-
Target
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
-
Size
61KB
-
MD5
bb2de5629dfeb812b45fb00a6fbadf4e
-
SHA1
e3a3642264eae88eba72c67933057f2dfc2dd2b6
-
SHA256
fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
-
SHA512
3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-