limerat | 52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

General

Target

54e737644c21402034c863a89de9f785.exe
Size

33KB
MD5

54e737644c21402034c863a89de9f785
SHA1

fa4aa0237c56c2f787d5eea774d03e0fd30d8405
SHA256

52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f
SHA512

a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a
SSDEEP

768:dpHG6XbwtuEEP545NXc3g7lwYmemFjRu:dpXbwtvwuzQg7KYBYN

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
Yp3s6v9y$B?E(H+M
antivm
false
c2_url
https://pastebin.com/raw/hkXuRtp9
delay
3
download_payload
false
install
true
install_name
OverTheCounter.exe
main_folder
Temp
pin_spread
false
sub_folder
\otc\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
688	OverTheCounter.exe

Loads dropped DLL 2 IoCs

pid	Process
540	54e737644c21402034c863a89de9f785.exe
540	54e737644c21402034c863a89de9f785.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1228	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	OverTheCounter.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	OverTheCounter.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe
688	OverTheCounter.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	688	OverTheCounter.exe
Token: SeDebugPrivilege	688	OverTheCounter.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 1228	540	54e737644c21402034c863a89de9f785.exe	28
PID 540 wrote to memory of 1228	540	54e737644c21402034c863a89de9f785.exe	28
PID 540 wrote to memory of 1228	540	54e737644c21402034c863a89de9f785.exe	28
PID 540 wrote to memory of 1228	540	54e737644c21402034c863a89de9f785.exe	28
PID 540 wrote to memory of 688	540	54e737644c21402034c863a89de9f785.exe	30
PID 540 wrote to memory of 688	540	54e737644c21402034c863a89de9f785.exe	30
PID 540 wrote to memory of 688	540	54e737644c21402034c863a89de9f785.exe	30
PID 540 wrote to memory of 688	540	54e737644c21402034c863a89de9f785.exe	30

C:\Users\Admin\AppData\Local\Temp\54e737644c21402034c863a89de9f785.exe
"C:\Users\Admin\AppData\Local\Temp\54e737644c21402034c863a89de9f785.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe
  "C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
memory/540-54-0x0000000001170000-0x000000000117E000-memory.dmp

Filesize
56KB

Download
memory/540-56-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/688-62-0x00000000012A0000-0x00000000012AE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads