limerat | da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d

General

Target

da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe
Size

339KB
MD5

e456517631e88d6c617afcaf827a95c9
SHA1

6d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67
SHA256

da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d
SHA512

d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b
SSDEEP

6144:qp3Fy+BoE7P9N6S29r3HwArJngn2lojvCe11qR:wVhF7P9Nz0r3Q+JNOvf1

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/p8Be8nNX
delay
3
download_payload
false
install
true
install_name
Windows Update.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid	Process
3696	Windows Update.exe
5056	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeWindows Update.exe

description	pid	Process	procid_target
PID 4500 set thread context of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 3696 set thread context of 5056	3696	Windows Update.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4156	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Windows Update.exe

description	pid	Process
Token: SeDebugPrivilege	5056	Windows Update.exe
Token: SeDebugPrivilege	5056	Windows Update.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeda5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exeWindows Update.exe

description	pid	Process	procid_target
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 4500 wrote to memory of 2720	4500	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	84
PID 2720 wrote to memory of 4156	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	85
PID 2720 wrote to memory of 4156	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	85
PID 2720 wrote to memory of 4156	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	85
PID 2720 wrote to memory of 3696	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	87
PID 2720 wrote to memory of 3696	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	87
PID 2720 wrote to memory of 3696	2720	da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe	87
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90
PID 3696 wrote to memory of 5056	3696	Windows Update.exe	90

C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe
"C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe
  "C:\Users\Admin\AppData\Local\Temp\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4156
- - C:\Users\Admin\Windows\Windows Update.exe
    "C:\Users\Admin\Windows\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Users\Admin\Windows\Windows Update.exe
      "C:\Users\Admin\Windows\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Update.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
339KB

MD5
e456517631e88d6c617afcaf827a95c9

SHA1
6d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67

SHA256
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d

SHA512
d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
339KB

MD5
e456517631e88d6c617afcaf827a95c9

SHA1
6d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67

SHA256
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d

SHA512
d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
339KB

MD5
e456517631e88d6c617afcaf827a95c9

SHA1
6d8bd9818a2b5ea6b2f3ddd2453ae6df3cedac67

SHA256
da5b0c44c3c33a911038c54ec26d4357f48779b3562dd6afb16e51cd16547c5d

SHA512
d5d7c7b3639b421b146ef10c776b89eff927eb1af89c5d033f76c5341dc1a575ea830d2a6884a04ccbdef2edd24ac0311a4fff86329a5035adb31b9f3b843c5b

Download Submit
memory/2720-135-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/2720-137-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/2720-136-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/2720-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2720-133-0x0000000000000000-mapping.dmp

Download
memory/3696-139-0x0000000000000000-mapping.dmp

Download
memory/4156-138-0x0000000000000000-mapping.dmp

Download
memory/4500-132-0x00000000008E0000-0x000000000093A000-memory.dmp

Filesize
360KB

Download
memory/5056-143-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads