Analysis Overview
SHA256
2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0
Threat Level: Known bad
The file 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Obfuscated with Agile.Net obfuscator
Checks computer location settings
Drops startup file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-14 19:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-14 19:25
Reported
2022-06-14 19:30
Platform
win7-20220414-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.Lnk | C:\Windows\SysWOW64\cscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1948 set thread context of 848 | N/A | C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe
"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbs.vbs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/1948-54-0x0000000000AA0000-0x0000000000B16000-memory.dmp
memory/1948-55-0x0000000000260000-0x0000000000268000-memory.dmp
memory/1948-56-0x0000000000380000-0x00000000003BC000-memory.dmp
memory/1948-57-0x00000000004C0000-0x00000000004CC000-memory.dmp
memory/1948-58-0x0000000076571000-0x0000000076573000-memory.dmp
memory/1272-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\vbs.vbs
| MD5 | a9703feb1c3adc25c4e812df1df7ff1e |
| SHA1 | 6429661404d3650b6fca9846152748514e276289 |
| SHA256 | f6e103dedea3a03db42be498cff0a4531a202d825a16032c6ae09eb97e8d4e24 |
| SHA512 | 6c59bb41dc98b88178add205a186b5131160a33797db9cbcebb6fe01a6fcdbf4fcbdff24ec1a384ede5bf2f51235965b37c717bd9fd340bf1d5fce1bca46c332 |
C:\Users\Admin\vbs.exe
| MD5 | 3433fb4e419c5d31ba3c6ef1777e2d85 |
| SHA1 | 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6 |
| SHA256 | 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0 |
| SHA512 | 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184 |
\Users\Admin\vbs.exe
| MD5 | 3433fb4e419c5d31ba3c6ef1777e2d85 |
| SHA1 | 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6 |
| SHA256 | 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0 |
| SHA512 | 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184 |
memory/848-64-0x0000000000408C6E-mapping.dmp
memory/1948-65-0x0000000000610000-0x0000000000613000-memory.dmp
memory/848-67-0x00000000746A0000-0x0000000074C4B000-memory.dmp
memory/848-68-0x00000000746A0000-0x0000000074C4B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-14 19:25
Reported
2022-06-14 19:30
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbs.Lnk | C:\Windows\SysWOW64\cscript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 1420 | N/A | C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe
"C:\Users\Admin\AppData\Local\Temp\2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\Admin\vbs.vbs
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 8.238.23.254:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| NL | 8.238.23.254:80 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/2328-131-0x00000000007F0000-0x0000000000866000-memory.dmp
memory/4128-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\vbs.vbs
| MD5 | a9703feb1c3adc25c4e812df1df7ff1e |
| SHA1 | 6429661404d3650b6fca9846152748514e276289 |
| SHA256 | f6e103dedea3a03db42be498cff0a4531a202d825a16032c6ae09eb97e8d4e24 |
| SHA512 | 6c59bb41dc98b88178add205a186b5131160a33797db9cbcebb6fe01a6fcdbf4fcbdff24ec1a384ede5bf2f51235965b37c717bd9fd340bf1d5fce1bca46c332 |
C:\Users\Admin\vbs.exe
| MD5 | 3433fb4e419c5d31ba3c6ef1777e2d85 |
| SHA1 | 996ef3a328b90bb6ec3f33c792f6591f7bbdb3b6 |
| SHA256 | 2d710e99a83080c4ec8e6b4c34d8330ff4459ed211b142a0bb427a92942f22d0 |
| SHA512 | 06008f704d18eae1cf4f289c2776d0ec27dd56a30fcf2033660d348af50acbf7d670a024f34e385f88c29b8434caad8a6b092cbeaab1ae6f3e46d5486aef0184 |
memory/1420-135-0x0000000000000000-mapping.dmp
memory/2328-136-0x000000000A800000-0x000000000A803000-memory.dmp
memory/1420-137-0x0000000074760000-0x0000000074D11000-memory.dmp
memory/1420-138-0x0000000074760000-0x0000000074D11000-memory.dmp