Overview

overview

10

Static

static

10

Checkeur n...ps.exe

windows7-x64

10

Checkeur n...ps.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Checkeur netflix validator by crips.exe

  • Size

    205KB

  • Sample

    230208-vcs6dscd3v

  • MD5

    d36f15bef276fd447e91af6ee9e38b28

  • SHA1

    14836dd608efb4a0c552a4f370e5aafb340e2a5d

  • SHA256

    6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334

  • SHA512

    ada85b6334f457b1217d4d08246f4ccb23bfb22a024aa6a7e1df00c9e83d72b58020b45fefc43eddfa41c54743b01f73632da2ff7b7bcee01d401235289ab242

  • SSDEEP

    3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

86hac88hN1LipZ8Pzugfp65vMuPzKdYQudAKeKsjzU4RKRtTSSRSzZDNech2VwKy6yEPu8XZGYDsEd51M3vBG6ozAUqPpk3

Attributes
  • aes_key

    20.199.13.167

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/sxNJt2ek

  • delay

    3

  • download_payload

    true

  • install

    true

  • install_name

    checker netflix.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      Checkeur netflix validator by crips.exe

    • Size

      205KB

    • MD5

      d36f15bef276fd447e91af6ee9e38b28

    • SHA1

      14836dd608efb4a0c552a4f370e5aafb340e2a5d

    • SHA256

      6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334

    • SHA512

      ada85b6334f457b1217d4d08246f4ccb23bfb22a024aa6a7e1df00c9e83d72b58020b45fefc43eddfa41c54743b01f73632da2ff7b7bcee01d401235289ab242

    • SSDEEP

      3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks