limerat | 52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

Analysis

max time kernel
149s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
06-01-2023 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe
Size

33KB
MD5

54e737644c21402034c863a89de9f785
SHA1

fa4aa0237c56c2f787d5eea774d03e0fd30d8405
SHA256

52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f
SHA512

a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a
SSDEEP

768:dpHG6XbwtuEEP545NXc3g7lwYmemFjRu:dpXbwtvwuzQg7KYBYN

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
Yp3s6v9y$B?E(H+M
antivm
false
c2_url
https://pastebin.com/raw/hkXuRtp9
delay
3
download_payload
false
install
true
install_name
OverTheCounter.exe
main_folder
Temp
pin_spread
false
sub_folder
\otc\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

Processes:

OverTheCounter.exe

pid	Process
5048	OverTheCounter.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

OverTheCounter.exe

pid	Process
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe
5048	OverTheCounter.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OverTheCounter.exe

description	pid	Process
Token: SeDebugPrivilege	5048	OverTheCounter.exe
Token: SeDebugPrivilege	5048	OverTheCounter.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe

description	pid	Process	procid_target
PID 2692 wrote to memory of 1816	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	67
PID 2692 wrote to memory of 1816	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	67
PID 2692 wrote to memory of 1816	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	67
PID 2692 wrote to memory of 5048	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	69
PID 2692 wrote to memory of 5048	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	69
PID 2692 wrote to memory of 5048	2692	52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe	69

C:\Users\Admin\AppData\Local\Temp\52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe
"C:\Users\Admin\AppData\Local\Temp\52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe
  "C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\otc\OverTheCounter.exe

Filesize
33KB

MD5
54e737644c21402034c863a89de9f785

SHA1
fa4aa0237c56c2f787d5eea774d03e0fd30d8405

SHA256
52a19a9b1fc41e58aa0ffeda8e9711b1c424c58825b084a4a9a378854318920f

SHA512
a549dc83697609441489d6dd7e8efb20fee74d17051f00e1207e3ea3f3fe394b84d5a2317a78e8ef75a5a3f9424eaf10668a93b6b3a5fa33a9f8ceea1e2b8e1a

Download Submit
memory/1816-169-0x0000000000000000-mapping.dmp

Download
memory/1816-184-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-183-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-180-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/1816-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000000C60000-0x0000000000C6E000-memory.dmp

Filesize
56KB

Download
memory/2692-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/2692-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/2692-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-167-0x0000000006070000-0x000000000656E000-memory.dmp

Filesize
5.0MB

Download
memory/2692-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-120-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2692-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/5048-201-0x0000000000000000-mapping.dmp

Download
memory/5048-289-0x0000000007200000-0x0000000007292000-memory.dmp

Filesize
584KB

Download