General

  • Target

    eb9e4955edda276425933aea122f9a84.exe

  • Size

    47KB

  • Sample

    220914-3lzcrsfcgj

  • MD5

    eb9e4955edda276425933aea122f9a84

  • SHA1

    6763106ffdc12cf213f579f72c1c6e8f3272fa9c

  • SHA256

    75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

  • SHA512

    621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

  • SSDEEP

    768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    beodz

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/PEKpeQWU

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    winlogon.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \AppData\Windows Protector\

  • usb_spread

    false

Targets

    • Target

      eb9e4955edda276425933aea122f9a84.exe

    • Size

      47KB

    • MD5

      eb9e4955edda276425933aea122f9a84

    • SHA1

      6763106ffdc12cf213f579f72c1c6e8f3272fa9c

    • SHA256

      75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

    • SHA512

      621cb956531c7e70715cb14eb3b5ff030fa1b3387a97b7ef04a847bdb54878ad713162115c78ce46dca3d3f11b5742a23e8a1fecd34e30429e934c487aafa60f

    • SSDEEP

      768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks