Analysis Overview
SHA256
26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
Threat Level: Known bad
The file 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 was found to be: Known bad.
Malicious Activity Summary
Limerat family
LimeRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-08 14:41
Signatures
Limerat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-08 14:41
Reported
2022-07-08 17:37
Platform
win7-20220414-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe
"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\n64\n64.exe'"
C:\Users\Admin\AppData\Roaming\n64\n64.exe
"C:\Users\Admin\AppData\Roaming\n64\n64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp |
Files
memory/756-54-0x0000000000B80000-0x0000000000BBE000-memory.dmp
memory/900-55-0x0000000000000000-mapping.dmp
memory/756-56-0x00000000755B1000-0x00000000755B3000-memory.dmp
\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |
memory/1712-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |
C:\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |
C:\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |
memory/1712-62-0x0000000000A50000-0x0000000000A8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-08 14:41
Reported
2022-07-08 17:37
Platform
win10v2004-20220414-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\n64\n64.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe
"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\n64\n64.exe'"
C:\Users\Admin\AppData\Roaming\n64\n64.exe
"C:\Users\Admin\AppData\Roaming\n64\n64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 199.195.250.222:1444 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 104.18.25.243:80 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp | |
| US | 199.195.250.222:1444 | tcp |
Files
memory/3792-130-0x0000000000B80000-0x0000000000BBE000-memory.dmp
memory/3792-131-0x00000000054A0000-0x000000000553C000-memory.dmp
memory/3792-132-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/3792-133-0x00000000061F0000-0x0000000006794000-memory.dmp
memory/4108-134-0x0000000000000000-mapping.dmp
memory/3160-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |
C:\Users\Admin\AppData\Roaming\n64\n64.exe
| MD5 | c2f4e22a83fdc19dd0c9d55218363669 |
| SHA1 | 8defeba00ada78ea05389b31bd08e9e021ab3d17 |
| SHA256 | 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 |
| SHA512 | 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2 |