General

  • Target

    2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0

  • Size

    452KB

  • Sample

    220614-x48q9sdee5

  • MD5

    3433fb4e419c5d31ba3c6ef1777e2d85

  • SHA1

    996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6

  • SHA256

    2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0

  • SHA512

    06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184

Score
10/10

Malware Config

Targets

    • Target

      2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0

    • Size

      452KB

    • MD5

      3433fb4e419c5d31ba3c6ef1777e2d85

    • SHA1

      996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6

    • SHA256

      2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0

    • SHA512

      06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks