Malware Analysis Report

2024-11-16 13:09

Sample ID 220614-x48q9sdee5
Target 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
SHA256 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
Tags
limerat agilenet rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0

Threat Level: Known bad

The file 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0 was found to be: Known bad.

Malicious Activity Summary

limerat agilenet rat

LimeRAT

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-14 19:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-14 19:25

Reported

2022-06-14 19:30

Platform

win7-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"

Signatures

LimeRAT

rat limerat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.Lnk C:\Windows\SysWOW64\cscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1948 set thread context of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\SysWOW64\cscript.exe
PID 1948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\SysWOW64\cscript.exe
PID 1948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\SysWOW64\cscript.exe
PID 1948 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\SysWOW64\cscript.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 1948 wrote to memory of 848 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe

"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbs.vbs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp

Files

memory/1948-54-0x0000000000AA0000-0x0000000000B16000-memory.dmp

memory/1948-55-0x0000000000260000-0x0000000000268000-memory.dmp

memory/1948-56-0x0000000000380000-0x00000000003BC000-memory.dmp

memory/1948-57-0x00000000004C0000-0x00000000004CC000-memory.dmp

memory/1948-58-0x0000000076571000-0x0000000076573000-memory.dmp

memory/1272-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\vbs.vbs

MD5 a9703feb1c3adc25c4e812df1df7ff1e
SHA1 6429661404d3650b6fca9846152748514e276289
SHA256 f6e103dedea3a03db42be498cff0a4531a202d825a16032c6ae09eb97e8d4e24
SHA512 6c59bb41dc98b88178add205a186b5131160a33797db9cbcebb6fe01a6fcdbf4fcbdff24ec1a384ede5bf2f51235965b37c717bd9fd340bf1d5fce1bca46c332

C:\Users\Admin\vbs.exe

MD5 3433fb4e419c5d31ba3c6ef1777e2d85
SHA1 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6
SHA256 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
SHA512 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184

\Users\Admin\vbs.exe

MD5 3433fb4e419c5d31ba3c6ef1777e2d85
SHA1 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6
SHA256 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
SHA512 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184

memory/848-64-0x0000000000408C6E-mapping.dmp

memory/1948-65-0x0000000000610000-0x0000000000613000-memory.dmp

memory/848-67-0x00000000746A0000-0x0000000074C4B000-memory.dmp

memory/848-68-0x00000000746A0000-0x0000000074C4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-14 19:25

Reported

2022-06-14 19:30

Platform

win10v2004-20220414-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"

Signatures

LimeRAT

rat limerat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.Lnk C:\Windows\SysWOW64\cscript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2328 set thread context of 1420 N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe

"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"

C:\Windows\SysWOW64\cscript.exe

"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbs.vbs

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 13.107.21.200:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 8.238.23.254:80 tcp
US 52.152.110.14:443 tcp
US 20.189.173.6:443 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
NL 8.238.23.254:80 tcp
US 52.152.110.14:443 tcp

Files

memory/2328-131-0x00000000007F0000-0x0000000000866000-memory.dmp

memory/4128-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\vbs.vbs

MD5 a9703feb1c3adc25c4e812df1df7ff1e
SHA1 6429661404d3650b6fca9846152748514e276289
SHA256 f6e103dedea3a03db42be498cff0a4531a202d825a16032c6ae09eb97e8d4e24
SHA512 6c59bb41dc98b88178add205a186b5131160a33797db9cbcebb6fe01a6fcdbf4fcbdff24ec1a384ede5bf2f51235965b37c717bd9fd340bf1d5fce1bca46c332

C:\Users\Admin\vbs.exe

MD5 3433fb4e419c5d31ba3c6ef1777e2d85
SHA1 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6
SHA256 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
SHA512 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184

memory/1420-135-0x0000000000000000-mapping.dmp

memory/2328-136-0x000000000A800000-0x000000000A803000-memory.dmp

memory/1420-137-0x0000000074760000-0x0000000074D11000-memory.dmp

memory/1420-138-0x0000000074760000-0x0000000074D11000-memory.dmp