limerat | 2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2

General

Target

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe
Size

17.3MB
MD5

bb5b6495d22a722624313fb4076749cb
SHA1

c7db683ca054476a7ba37932b22ba9d131140213
SHA256

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2
SHA512

9f5e5c6d1d27143c3d9166fc0620c97a5af06639903e7ea584ba8b24c4756dc7f1fbaee8de6bb9ad3bb45c0a3899fcc3cc7e181dbf151f5075ef9c935fb0c1bc
SSDEEP

393216:rcJYwsM/YX3UZiVEiq+mEwZjGVanL54XVSeygXiWjT3iBGsIcRxiJOzMNe5vjAKG:uYjM/9+EC0tCky4eywf3iosJ6JOAN8v4

Score

10^/10

limerat persistence rat

Malware Config

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\WsVt3xEn4xPVyzK7\\G0bvhOxxH5Le.exe\",explorer.exe"	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid	Process
4296	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid	Process
4296	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exeAUDIODG.EXEvlc.exe

description	pid	Process
Token: SeDebugPrivilege	3044	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	4296	vlc.exe
Token: SeIncBasePriorityPrivilege	4296	vlc.exe
Token: SeDebugPrivilege	3044	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

vlc.exe

pid	Process
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

vlc.exe

pid	Process
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

vlc.exe

pid	Process
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe
4296	vlc.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 4296	3044	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe	83
PID 3044 wrote to memory of 4296	3044	2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe	83

C:\Users\Admin\AppData\Local\Temp\2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe
"C:\Users\Admin\AppData\Local\Temp\2e13890ad41d07c20e2f6cec6d162fa7ecba08a1f57e4a34ab4988f4964e5aa2.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\yOxl8MI0FsudTV70.mp4"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4296

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yOxl8MI0FsudTV70.mp4

Filesize
10.8MB

MD5
16573795f77e76bd709b505336d4e6f6

SHA1
958f2c96a2023c97e132e25a1ebc59480f326444

SHA256
3e30268c17daf5648d1b34fe8a3dbb49bda6cc02e1f2e182452950fbee9d3c3d

SHA512
a165f9bdc1cb88d34fc73f7cfba658c6d95d07c175a9b517725f178b217c29dcb8359666bf3fec1ccd04bee70a5ec75d35d458f7517bafb96c5327f761aab783

Download Submit
memory/3044-132-0x0000000000410000-0x0000000001562000-memory.dmp

Filesize
17.3MB

Download
memory/3044-133-0x0000000009450000-0x00000000099F4000-memory.dmp

Filesize
5.6MB

Download
memory/3044-134-0x0000000008F40000-0x0000000008FD2000-memory.dmp

Filesize
584KB

Download
memory/3044-135-0x0000000008EA0000-0x0000000008EAA000-memory.dmp

Filesize
40KB

Download
memory/3044-137-0x0000000007320000-0x00000000073BC000-memory.dmp

Filesize
624KB

Download
memory/3044-139-0x0000000007530000-0x0000000007596000-memory.dmp

Filesize
408KB

Download
memory/4296-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads