General

  • Target

    20e5879450485048a3a74c4e8f261012e04a0ad7bafb93e4eadd6481495021a3

  • Size

    1.4MB

  • Sample

    220612-mcdrpsggcn

  • MD5

    07fc59b1e126ce76fdba75b71cde55f0

  • SHA1

    732dccd9d953ba6c82ed3dc7b1723e25e4d87f3a

  • SHA256

    20e5879450485048a3a74c4e8f261012e04a0ad7bafb93e4eadd6481495021a3

  • SHA512

    ec5aa7448e4e81e930f286eb97a04d370903a4a78420ec8c7c93d24360e946aed78cbc1d86dfb07e92f02f0e3b03b9a0b6bb04374fef2d83665ed1f48e73c1eb

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1d15EibWVaZg8KADH1wR5phqhtyhbbdCc

Attributes
  • aes_key

    batata1

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/hqkeiAWx

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    twvrsvc.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \TeamViewer\

  • usb_spread

    true

Targets

    • Target

      Orion Keylogger 2.1 crcked/961API.dll

    • Size

      18KB

    • MD5

      5f02810707b72bac26cf2b0da83e0335

    • SHA1

      76410d5b3057ff11865b0fc723df2ca543b3bd86

    • SHA256

      4faa5cbe75f96afb5dbbde84c0e5011f0d1f9c06240fb0361a185921b1676e31

    • SHA512

      c44683b3e29fecc807ce28ca6bc9468ff4f6e6c827b5fabfde5c67f708cd997d5fa1004759bece41b441de40a8022611b4c56e0a688eb3a9bf125b6b920b9d1e

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Booya Theme.dll

    • Size

      211KB

    • MD5

      1230bb7cc6a5979af5bfa54b3cbf3c05

    • SHA1

      172e6e8f392ba8593f9553eaa9be3617e878de55

    • SHA256

      1f6d1f6ea18fa5d477ac6bfe7f4aa32eff97f788d02ef02d2698502099a7eac8

    • SHA512

      f85c630c888e51c434b40fdf3d7ed304a946db3b6618387025984068bc17d5741f57f443b48263fad3fcedfa48377c31a84c90db786b3d7b43d2735765c85770

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Cure Tool.exe

    • Size

      61KB

    • MD5

      bb2de5629dfeb812b45fb00a6fbadf4e

    • SHA1

      e3a3642264eae88eba72c67933057f2dfc2dd2b6

    • SHA256

      fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf

    • SHA512

      3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      Orion Keylogger 2.1 crcked/KeikoObfuscator.dll

    • Size

      25KB

    • MD5

      4c3c8964a7da9778ce4a43edc1598d90

    • SHA1

      e731ad6b55d0e795f18170e76bc48307d4d11e0e

    • SHA256

      88278312b79d042f340814ec031f83b3b50c76bef62d2de376f581205956a509

    • SHA512

      528be968faedd8c5628a7e73d448c32456afece374abea0c01a835a8c0058ccebb38735d05d7458287593716569bfecefa51a06215f8d182b28cf89f2a1cc7e3

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/MintUI.dll

    • Size

      86KB

    • MD5

      a9c6542147b7ade88d6fdc6529819a86

    • SHA1

      e73959bbfd70be8d416bf935de15a2b77bf5bbb0

    • SHA256

      ca8b786eca2ffbfd5567c3be3084d0d54df27dad26181719ce4dbbfb659fb75e

    • SHA512

      797cfa555727f921f9e6f3337a4dcd75368b01d00bdc157039e9c66483f69bb2177ae754a9f22a71ef7f4fe78c8f3b2adc92df4f01cc6a7ce753a51d82b7ae17

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Mono.Cecil.dll

    • Size

      301KB

    • MD5

      a9c1eea90bca2e1971fba535e1916e5d

    • SHA1

      51a49d36c3373c9236adb1900745cd66894d14a1

    • SHA256

      659e04c5dd62888b6ed6fe8413b9d2d55dece0e6e4964929e661372a3d9b2538

    • SHA512

      1144a1246d734e7143eac1ef1be95b43ab8f031865236d317f28ce35e73552be43c871bd912d24c58a42fecf0821aad4e33198b2f1ce8db734460a8f7c384749

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Newtonsoft.Json.dll

    • Size

      638KB

    • MD5

      f33cbe589b769956284868104686cc2d

    • SHA1

      2fb0be100de03680fc4309c9fa5a29e69397a980

    • SHA256

      973fd70ce48e5ac433a101b42871680c51e2feba2aeec3d400dea4115af3a278

    • SHA512

      ffd65f6487bc71c967abcf90a666080c67b8db010d5282d2060c9d87a9828519a14f5d3a6fe76d81e1d3251c2104a2e9e6186af0effd5f331b1342682811ebf4

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Orion Keylogger2.exe

    • Size

      1.1MB

    • MD5

      b833cebbda9fdf4dbf8db5f3e91eb506

    • SHA1

      80ec01247220a5008ce51e3403d86910d8cfd258

    • SHA256

      7e58e0627e7359aaf2dcae8bcc821a83c97c7c560c539c1c8f186bdff67d6bfb

    • SHA512

      3efeebd5eb00936fe9114307f205dad8f64bc840a529441abc32c4c6d20a80dea9c9e5c3aaa72ecc358425565fe8b7cd61239397e4c2cc58c68a9e1b6d55818c

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/Ranger.BrowserLogging.dll

    • Size

      264KB

    • MD5

      e38908149f2825b604f7d8f2d91194ca

    • SHA1

      ef33fce1e15fae423e0baf8ca1e331b691da794b

    • SHA256

      71caaaaa2cd513485f1d5901090ef022c943185f9f53713123af9c6c5f24a22d

    • SHA512

      6b4061cdae7522ae2bdaecdd9ca596972bbf7e728de0082804cd35939a15d014fafd52d8860e9d1108c8ea30209028e32734e22a3eabc4ff88466956c2fcc735

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/RedPandaUI.dll

    • Size

      36KB

    • MD5

      8346fde589de3ceeeaab8f8100b3928f

    • SHA1

      4140a38bc0c1c459128076a59c2d52ae400cf954

    • SHA256

      136b11772e6b27cb85f0199316961767f10ea8a4f8095b9568919384b9ff8f07

    • SHA512

      73f6503261b4e640343a39d1d800890b1a47ba434b6387a329f0b217ac7c900e73bee4640508c86c888a903c665e8be92bdda627248fb909859b67f01b25df54

    Score
    1/10
    • Target

      Orion Keylogger 2.1 crcked/ranger.browserlogging.vault.dll

    • Size

      197KB

    • MD5

      203a65f044e610957503bef112566e87

    • SHA1

      8786f041ae5cb0a0180b2f069675a9e3c11aaba0

    • SHA256

      4d8fd614baa65b40ead4225faff90a38d5a0f7fdb166abb09778b5255c8576b4

    • SHA512

      39bde611a8cfe0332938134d190cb424e20546936dee6185edaaad63b5618b686c81d04f20bade36fae7ff8fdcce4e2a911934f29bb661e0654a09fefc193065

    Score
    3/10

MITRE ATT&CK Enterprise v6

Tasks