Analysis Overview
SHA256
999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
Threat Level: Known bad
The file New-Client.bin was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Limerat family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-24 07:38
Signatures
Limerat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-24 07:38
Reported
2022-06-24 07:40
Platform
win7-20220414-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'"
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:18954 | 6.tcp.ngrok.io | tcp |
Files
memory/1336-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
memory/1336-55-0x0000000073EC0000-0x000000007446B000-memory.dmp
memory/1988-56-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
memory/1196-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
memory/1336-63-0x0000000073EC0000-0x000000007446B000-memory.dmp
memory/1196-64-0x0000000073EC0000-0x000000007446B000-memory.dmp
memory/1196-65-0x0000000073EC0000-0x000000007446B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-24 07:38
Reported
2022-06-24 07:40
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4040 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4040 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4040 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4040 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe |
| PID 4040 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe |
| PID 4040 wrote to memory of 716 | N/A | C:\Users\Admin\AppData\Local\Temp\New-Client.exe | C:\Users\Admin\AppData\Roaming\explorer\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'"
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:18954 | 6.tcp.ngrok.io | tcp |
| US | 20.189.173.1:443 | tcp | |
| US | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
| GB | 92.123.140.25:80 | tcp |
Files
memory/4040-130-0x0000000075510000-0x0000000075AC1000-memory.dmp
memory/2500-131-0x0000000000000000-mapping.dmp
memory/716-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
| MD5 | eaced76d5215ebc207f63522c4dc2d95 |
| SHA1 | 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d |
| SHA256 | 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c |
| SHA512 | ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e |
memory/4040-135-0x0000000075510000-0x0000000075AC1000-memory.dmp
memory/716-136-0x0000000075510000-0x0000000075AC1000-memory.dmp
memory/716-137-0x0000000075510000-0x0000000075AC1000-memory.dmp