Malware Analysis Report

2024-11-16 13:08

Sample ID 220731-kebc9ahcfn
Target fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db
SHA256 fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db

Threat Level: Known bad

The file fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db was found to be: Known bad.

Malicious Activity Summary

limerat rat

Limerat family

LimeRAT

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-31 08:30

Signatures

Limerat family

limerat

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-31 08:30

Reported

2022-07-31 11:39

Platform

win7-20220718-en

Max time kernel

128s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe

"C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
RU 178.206.235.125:1604 tcp
RU 178.206.235.125:1604 tcp

Files

memory/1572-54-0x00000000011F0000-0x00000000011FC000-memory.dmp

memory/1572-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-31 08:30

Reported

2022-07-31 11:40

Platform

win10v2004-20220721-en

Max time kernel

227s

Max time network

239s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe

"C:\Users\Admin\AppData\Local\Temp\fd29c69eabf95a7dd9921e16ad97e2a74ec6634d19e29251038a5b575f52f5db.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.238.21.126:80 tcp
US 20.189.173.9:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 2.16.119.157:443 tcp
US 104.20.67.143:443 pastebin.com tcp
FR 2.16.119.157:443 tcp
US 172.67.34.170:443 pastebin.com tcp
US 104.20.68.143:443 pastebin.com tcp

Files

memory/5116-130-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/5116-131-0x0000000005320000-0x00000000053BC000-memory.dmp

memory/5116-132-0x00000000053F0000-0x0000000005456000-memory.dmp

memory/5116-133-0x0000000005FF0000-0x0000000006594000-memory.dmp