limerat

General

Target

2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
Size

7.4MB
Sample

220624-2l3jrafghr
MD5

4ad1b0398bc3a371a82923383de2d0a4
SHA1

9f977029800b4328dc752741156a6a0e5f6fa109
SHA256

2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
SHA512

469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

seasons444.ddns.net:8128

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
window
keylog_path
%AppData%
mouse_option
false
mutex
Office_vgqkluqlnw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

limerat

Wallets

1BVfdhbuDbDuMXWErhTv8XwgwYP1K34oTD

Attributes

aes_key
MAXS20
antivm
false
c2_url
https://pastebin.com/raw/vnPLhhBH
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

warzonerat

C2

cornerload.dynu.net:5500

Targets

- Target
  
  2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
- Size
  
  7.4MB
- MD5
  
  4ad1b0398bc3a371a82923383de2d0a4
- SHA1
  
  9f977029800b4328dc752741156a6a0e5f6fa109
- SHA256
  
  2877bf056524695a30300cc6f5469202538727e8003ea14e8d13480a59600171
- SHA512
  
  469300fef819aebfe9dbeacf05f60eb509e31abaef0f596575107c69fbe56f0a95ac92135256e98c21c2e2c027fe2d12e1a5d8c402b59a758fea42fba671618b
Score

10^/10

limerat remcos sality warzonerat host backdoor evasion infostealer rat trojan upx
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies firewall policy service
  evasion
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Sality
  Sality is backdoor written in C++, first discovered in 2003.
  backdoor sality
- UAC bypass
  evasion trojan
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- Warzone RAT Payload
  rat
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Suspicious use of SetThreadContext
behavioral1 behavioral2