limerat | ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

General

Target

ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
Size

48KB
MD5

6f23275eccec12e9a909fab9729c3497
SHA1

9e74264aa2466fff3dd85cd1beaa64d29f9470c6
SHA256

ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab
SHA512

6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac
SSDEEP

768:nNvp6SGik0sciGmgawGhmJmtTqPTkAVMwA/pqec4q4uwDnuZ3zo77yN:r6hV0scPmga0iUTksAJaEn4lN

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/Ex7adUSH
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
false
sub_folder
\Winifi\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

pid	Process
1244	svchost.exe
1048	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 1244 set thread context of 1048	1244	svchost.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1292	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	svchost.exe
Token: SeDebugPrivilege	1048	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 952 wrote to memory of 900	952	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	28
PID 900 wrote to memory of 1292	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	30
PID 900 wrote to memory of 1292	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	30
PID 900 wrote to memory of 1292	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	30
PID 900 wrote to memory of 1292	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	30
PID 900 wrote to memory of 1244	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	32
PID 900 wrote to memory of 1244	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	32
PID 900 wrote to memory of 1244	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	32
PID 900 wrote to memory of 1244	900	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	32
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33
PID 1244 wrote to memory of 1048	1244	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
"C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
  "C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1292
- - C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
memory/900-59-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/900-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/900-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/900-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/900-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/900-67-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/900-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/952-54-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/952-55-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1244-72-0x00000000011A0000-0x00000000011B2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads