Overview

overview

10

Static

static

10

0c9df96101...dd.exe

windows7-x64

10

0c9df96101...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2022 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c9df96101af0ac8049408831d42dedd.exe

  • Size

    29KB

  • MD5

    0c9df96101af0ac8049408831d42dedd

  • SHA1

    a43aedc5578add2f07269f88b923536b9d239019

  • SHA256

    9207a09821cbdc73ff5c3909c74914e772a4c356cfcb58eea38f8eeb1ea0c11a

  • SHA512

    2079380e4b839ba4b46f8f7c9eb34dc85b33a2876faa968efed62c3eb544125395ad6fc0dbf29f627cbf47e4550366485f2e789545a3726dd12df0a7cbb6710b

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    O

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/9uk330hR

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c9df96101af0ac8049408831d42dedd.exe
    "C:\Users\Admin\AppData\Local\Temp\0c9df96101af0ac8049408831d42dedd.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3500-130-0x00000000005A0000-0x00000000005AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3500-131-0x0000000004F20000-0x0000000004FBC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3500-132-0x0000000005030000-0x0000000005096000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3500-133-0x0000000005D50000-0x00000000062F4000-memory.dmp
    Filesize

    5.6MB

    Download