limerat | ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

General

Target

ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
Size

48KB
MD5

6f23275eccec12e9a909fab9729c3497
SHA1

9e74264aa2466fff3dd85cd1beaa64d29f9470c6
SHA256

ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab
SHA512

6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac
SSDEEP

768:nNvp6SGik0sciGmgawGhmJmtTqPTkAVMwA/pqec4q4uwDnuZ3zo77yN:r6hV0scPmga0iUTksAJaEn4lN

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/Ex7adUSH
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
false
sub_folder
\Winifi\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

pid	Process
4808	svchost.exe
2872	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4344 set thread context of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4808 set thread context of 2872	4808	svchost.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4852	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	svchost.exe
Token: SeDebugPrivilege	2872	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 4344 wrote to memory of 2276	4344	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	79
PID 2276 wrote to memory of 4852	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	81
PID 2276 wrote to memory of 4852	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	81
PID 2276 wrote to memory of 4852	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	81
PID 2276 wrote to memory of 4808	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	83
PID 2276 wrote to memory of 4808	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	83
PID 2276 wrote to memory of 4808	2276	ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe	83
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84
PID 4808 wrote to memory of 2872	4808	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
"C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe
  "C:\Users\Admin\AppData\Local\Temp\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4852
- - C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
C:\Users\Admin\AppData\Roaming\Winifi\svchost.exe

Filesize
48KB

MD5
6f23275eccec12e9a909fab9729c3497

SHA1
9e74264aa2466fff3dd85cd1beaa64d29f9470c6

SHA256
ee70d7fa5708801ccb2cf83b9bbb324da90e90b6a0c708c643680c6018a7fbab

SHA512
6950b8071e986bdff8e76f1934dc88f3fb52baa3e754d941d7cab0912f0b468344ccf0c62b16431e5bf391278e764ca209b3a93ebc38364d2697fb258c5348ac

Download Submit
memory/2276-135-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/2276-137-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/2276-136-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/2276-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4344-132-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads