limerat | 98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

General

Target

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
Size

332KB
MD5

a3e1ee0eaca1c17b5c1956bd09d198b0
SHA1

840f647a39d9d520441ebc4d8f58e215fbcafcd3
SHA256

98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7
SHA512

189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e
SSDEEP

6144:rP0d79h8N+c8ruZNX0d8vHDOCELIu/Q7gQQBjsj6tD4IA4T1qR:ro9CF+SNXUAHkP/SPQBjsrm1

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/p8Be8nNX
delay
3
download_payload
false
install
true
install_name
Windows Update.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 2 IoCs

pid	Process
1220	Windows Update.exe
3464	Windows Update.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4888 set thread context of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 1220 set thread context of 3464	1220	Windows Update.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4896	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
Token: SeDebugPrivilege	1220	Windows Update.exe
Token: SeDebugPrivilege	3464	Windows Update.exe
Token: SeDebugPrivilege	3464	Windows Update.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 4888 wrote to memory of 3600	4888	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	81
PID 3600 wrote to memory of 4896	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	83
PID 3600 wrote to memory of 4896	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	83
PID 3600 wrote to memory of 4896	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	83
PID 3600 wrote to memory of 1220	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	85
PID 3600 wrote to memory of 1220	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	85
PID 3600 wrote to memory of 1220	3600	98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe	85
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86
PID 1220 wrote to memory of 3464	1220	Windows Update.exe	86

C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
"C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe
  "C:\Users\Admin\AppData\Local\Temp\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\Windows\Windows Update.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:4896
- - C:\Users\Admin\Windows\Windows Update.exe
    "C:\Users\Admin\Windows\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1220
  - - C:\Users\Admin\Windows\Windows Update.exe
      "C:\Users\Admin\Windows\Windows Update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Update.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
C:\Users\Admin\Windows\Windows Update.exe

Filesize
332KB

MD5
a3e1ee0eaca1c17b5c1956bd09d198b0

SHA1
840f647a39d9d520441ebc4d8f58e215fbcafcd3

SHA256
98bd317536a3897e12a06396535593e6df8d2bef351f0f4e4f248e71c26cbbc7

SHA512
189bbf227ef0886d2a2154f9effa76882024ba5a21f2fbdcbb90dce28473e77a216e9a0a509c221c7add03be36f835819fc710128fe03d5f828638702294f59e

Download Submit
memory/1220-139-0x0000000000000000-mapping.dmp

Download
memory/3464-143-0x0000000000000000-mapping.dmp

Download
memory/3600-135-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/3600-137-0x0000000005D70000-0x0000000006314000-memory.dmp

Filesize
5.6MB

Download
memory/3600-136-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/3600-134-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3600-133-0x0000000000000000-mapping.dmp

Download
memory/4888-132-0x00000000006D0000-0x000000000072A000-memory.dmp

Filesize
360KB

Download
memory/4896-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads