Extracted

• • Target

    851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1.exe

  • Size

    242KB

  • MD5

    10e6c5653d2929236947ca08594f0f55

  • SHA1

    9ed6646ef7f0815d02066b60cd7bbc8d27cbf360

  • SHA256

    851266da3ffdf9c37b139611382b30710ab960b761125cdde6cba1eeaebf24e1

  • SHA512

    8db0fb767897f15cb51fcdefb5b06449e3d41e85e7d2e129fc674a2fa8077f3352dd21e3d8a8b28f4c36a5a9136df65ebd288e47ff58df9a524f650279c3ce30

  • SSDEEP

    6144:mQvE/UVPy/oCa+LDZWC9z5NUb+knq1diDmN:3vzPygCa+DZCnq1c+

  Score

  10^/10

  limeratevasionransomwarerattrojan

  • Contains code to disable Windows Defender

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • Modifies security service

    evasion

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomware

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2