limerat | 8fc718a75777a80722b50ad6fef3306078e900bbc872bb664a197884721294f0 | Triage

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 23:02

Sharing

Report Analysis Logs

General

Target

Window.exe
Size

28KB
MD5

88dbe003620c32ac5bf9ac5cec42d169
SHA1

26c7cb32d78077c7112b140a293a7076c66690f1
SHA256

8fc718a75777a80722b50ad6fef3306078e900bbc872bb664a197884721294f0
SHA512

073e2e955057b1959a15483ab99cd89e1751e89b6989c6aca71d666b45a6d0badb379bdb2a72d2159be0117cd1cfff6d567d5816d1d853ddf6f1bb586ad7f588
SSDEEP

384:bB+Sbj6NKsyRu6F1AH9o1yqDfIKKy5dYzvDKNrCeJE3WNgAnD8bJvEAEcQro3lcM:FpFU6F1w9YIKzYz45Nvspxxj

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
LeaveMe
antivm
false
c2_url
http://pastebin.pl/view/raw/0755aad0
delay
3
download_payload
false
install
false
install_name
MicrosoftUpdater.tft.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\.Temp\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Window.exe

description	pid	Process
Token: SeDebugPrivilege	4896	Window.exe
Token: SeDebugPrivilege	4896	Window.exe

C:\Users\Admin\AppData\Local\Temp\Window.exe
"C:\Users\Admin\AppData\Local\Temp\Window.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4896-132-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/4896-133-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/4896-134-0x0000000004DC0000-0x0000000004E26000-memory.dmp

Filesize
408KB

Download
memory/4896-135-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download