General
-
Target
eb9e4955edda276425933aea122f9a84.exe
-
Size
47KB
-
Sample
220914-3lzcrsfcgj
-
MD5
eb9e4955edda276425933aea122f9a84
-
SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c
-
SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
-
SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f
-
SSDEEP
768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc
Behavioral task
behavioral1
Sample
eb9e4955edda276425933aea122f9a84.exe
Resource
win7-20220901-en
Malware Config
Extracted
limerat
-
aes_key
beodz
-
antivm
false
-
c2_url
https://pastebin.com/raw/PEKpeQWU
-
delay
3
-
download_payload
false
-
install
true
-
install_name
winlogon.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\AppData\Windows Protector\
-
usb_spread
false
Targets
-
-
Target
eb9e4955edda276425933aea122f9a84.exe
-
Size
47KB
-
MD5
eb9e4955edda276425933aea122f9a84
-
SHA1
6763106ffdc12cf213f579f72c1c6e8f3272fa9c
-
SHA256
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
-
SHA512
621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f
-
SSDEEP
768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc
-
XMRig Miner payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-