Malware Analysis Report

2024-11-16 13:10

Sample ID 220624-jggsdaaggp
Target New-Client.bin
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c

Threat Level: Known bad

The file New-Client.bin was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Limerat family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 07:38

Signatures

Limerat family

limerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 07:38

Reported

2022-06-24 07:40

Platform

win7-20220414-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New-Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New-Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New-Client.exe

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'"

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:18954 6.tcp.ngrok.io tcp

Files

memory/1336-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/1336-55-0x0000000073EC0000-0x000000007446B000-memory.dmp

memory/1988-56-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

memory/1196-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

memory/1336-63-0x0000000073EC0000-0x000000007446B000-memory.dmp

memory/1196-64-0x0000000073EC0000-0x000000007446B000-memory.dmp

memory/1196-65-0x0000000073EC0000-0x000000007446B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 07:38

Reported

2022-06-24 07:40

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New-Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New-Client.exe

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'"

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

"C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:18954 6.tcp.ngrok.io tcp
US 20.189.173.1:443 tcp
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
GB 92.123.140.25:80 tcp

Files

memory/4040-130-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/2500-131-0x0000000000000000-mapping.dmp

memory/716-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe

MD5 eaced76d5215ebc207f63522c4dc2d95
SHA1 65ac61c7a5958fc6fa0f6bb65dc8143d0aa5688d
SHA256 999e8466a0d2f8e3650f0cd45e11e5601068569bd4e912b057634a21e590051c
SHA512 ba8a81dfe79be13dba40d1fc5becabbcba3fe212e840878e761f8b49aeb733d65d14d08d69e31f6db28feb4b428f331d9c8d17310e86be40c633730c64e3933e

memory/4040-135-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/716-136-0x0000000075510000-0x0000000075AC1000-memory.dmp

memory/716-137-0x0000000075510000-0x0000000075AC1000-memory.dmp