Malware Analysis Report

2024-11-16 13:10

Sample ID 220625-gqggvsahe5
Target b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271
SHA256 b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271

Threat Level: Known bad

The file b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271 was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Executes dropped EXE

Drops startup file

Loads dropped DLL

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-25 06:00

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-25 06:00

Reported

2022-06-25 06:35

Platform

win7-20220414-en

Max time kernel

144s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Operelink.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdp.url C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1656 set thread context of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1656 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 648 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 536 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 648 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe
PID 648 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe
PID 648 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe
PID 648 wrote to memory of 1328 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe

"C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Operelink.exe'"

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

"C:\Users\Admin\AppData\Local\Temp\Operelink.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.timeapi.org udp
N/A 127.0.0.1:80 tcp

Files

memory/1656-54-0x0000000075781000-0x0000000075783000-memory.dmp

memory/1656-55-0x0000000002560000-0x0000000002595000-memory.dmp

memory/648-58-0x0000000000400000-0x000000000040C000-memory.dmp

memory/648-62-0x0000000000408D5E-mapping.dmp

memory/648-56-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1656-65-0x0000000002560000-0x0000000002562000-memory.dmp

memory/648-64-0x0000000000400000-0x000000000040C000-memory.dmp

memory/648-63-0x0000000000400000-0x000000000040C000-memory.dmp

memory/536-66-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\Operelink.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/1328-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/1328-72-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-25 06:00

Reported

2022-06-25 06:37

Platform

win10v2004-20220414-en

Max time kernel

135s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Operelink.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cdp.url C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3136 set thread context of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3136 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3136 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3136 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3136 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3136 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1836 wrote to memory of 744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 744 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\schtasks.exe
PID 1836 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe
PID 1836 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe
PID 1836 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Users\Admin\AppData\Local\Temp\Operelink.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe

"C:\Users\Admin\AppData\Local\Temp\b9f80a3672f06e5a56641e48021b6bdb6a4fa25ad1bcefa0ecaaa433b0e36271.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Operelink.exe'"

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

"C:\Users\Admin\AppData\Local\Temp\Operelink.exe"

Network

Country Destination Domain Proto
US 67.26.211.254:80 tcp
US 8.252.118.126:80 tcp
US 67.24.169.254:80 tcp
US 209.197.3.8:80 tcp
IE 13.69.239.73:443 tcp
US 8.252.118.126:80 tcp
US 67.26.207.254:80 tcp
US 8.8.8.8:53 www.timeapi.org udp
N/A 127.0.0.1:80 tcp
US 67.26.211.254:80 tcp
US 67.26.211.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 67.26.211.254:80 tcp

Files

memory/3136-130-0x0000000005F30000-0x0000000005F38000-memory.dmp

memory/1836-131-0x0000000000000000-mapping.dmp

memory/1836-132-0x0000000000740000-0x000000000074C000-memory.dmp

memory/1836-136-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

memory/1836-137-0x0000000004CA0000-0x0000000004D06000-memory.dmp

memory/1836-138-0x00000000058C0000-0x0000000005E64000-memory.dmp

memory/744-139-0x0000000000000000-mapping.dmp

memory/2104-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

C:\Users\Admin\AppData\Local\Temp\Operelink.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/2104-143-0x0000000000120000-0x0000000000160000-memory.dmp

memory/2104-144-0x00000000023E0000-0x00000000023FA000-memory.dmp

memory/2104-145-0x0000000004BB0000-0x0000000004D0A000-memory.dmp