Malware Analysis Report

2024-11-16 13:09

Sample ID 220708-r2t77secbq
Target 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44

Threat Level: Known bad

The file 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44 was found to be: Known bad.

Malicious Activity Summary

limerat rat

Limerat family

LimeRAT

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-08 14:41

Signatures

Limerat family

limerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-08 14:41

Reported

2022-07-08 17:37

Platform

win7-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe

"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\n64\n64.exe'"

C:\Users\Admin\AppData\Roaming\n64\n64.exe

"C:\Users\Admin\AppData\Roaming\n64\n64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp

Files

memory/756-54-0x0000000000B80000-0x0000000000BBE000-memory.dmp

memory/900-55-0x0000000000000000-mapping.dmp

memory/756-56-0x00000000755B1000-0x00000000755B3000-memory.dmp

\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2

memory/1712-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2

C:\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2

C:\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2

memory/1712-62-0x0000000000A50000-0x0000000000A8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-08 14:41

Reported

2022-07-08 17:37

Platform

win10v2004-20220414-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe N/A

Legitimate hosting services abused for malware hosting/C2

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\n64\n64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe

"C:\Users\Admin\AppData\Local\Temp\26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\n64\n64.exe'"

C:\Users\Admin\AppData\Roaming\n64\n64.exe

"C:\Users\Admin\AppData\Roaming\n64\n64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 199.195.250.222:1444 tcp
US 20.189.173.1:443 tcp
US 199.195.250.222:1444 tcp
NL 178.79.208.1:80 tcp
US 199.195.250.222:1444 tcp
US 104.18.25.243:80 tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp
US 199.195.250.222:1444 tcp

Files

memory/3792-130-0x0000000000B80000-0x0000000000BBE000-memory.dmp

memory/3792-131-0x00000000054A0000-0x000000000553C000-memory.dmp

memory/3792-132-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/3792-133-0x00000000061F0000-0x0000000006794000-memory.dmp

memory/4108-134-0x0000000000000000-mapping.dmp

memory/3160-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2

C:\Users\Admin\AppData\Roaming\n64\n64.exe

MD5 c2f4e22a83fdc19dd0c9d55218363669
SHA1 8defeba00ada78ea05389b31bd08e9e021ab3d17
SHA256 26a0f88f7e9c8121168faa2a2b905ab1833b01292c37004ee3f5e2b3d90ccb44
SHA512 4a52f078fa6398e06e73cb0d57764ec455a2df381775c9aded6e93ea0b2412eb5764b60a099985c9a4c860901b421d30ae8b94717ff15d44d94c50f15f8a01d2