limerat | 78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66 | Triage

Submit
Reports

Overview

overview

Static

static

5

a364b35d4d...c1.exe

windows7-x64

a364b35d4d...c1.exe

windows10-2004-x64

Sharing

General

Target

a364b35d4dbdcf328367df843a6286c1.exe
Size

12.9MB
Sample

230304-yvd1zaeb4w
MD5

a364b35d4dbdcf328367df843a6286c1
SHA1

31a54c5118109afa7d5c7c465bb4d3b25c947284
SHA256

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
SHA512

e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
SSDEEP

196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn

Score

10^/10

limerat quasar revengerat storage persistence rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

a364b35d4dbdcf328367df843a6286c1.exe

Resource

win7-20230220-en

limerat quasar revengerat storage persistence rat spyware trojan

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

a364b35d4dbdcf328367df843a6286c1.exe

Resource

win10v2004-20230221-en

limerat quasar storage persistence rat spyware trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

C2

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

Slbw7KtgA7WecQEqcR

Attributes

encryption_key
BTg0dEybEXwn6MM90CP2
install_name
ccleaner.exe
log_directory
windowfirewalls
reconnect_delay
1
startup_key
windowsfirewall.msc
subdirectory
windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes

aes_key
key
antivm
true
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

quasar

Attributes

reconnect_delay
1

Targets

- Target
  
  a364b35d4dbdcf328367df843a6286c1.exe
- Size
  
  12.9MB
- MD5
  
  a364b35d4dbdcf328367df843a6286c1
- SHA1
  
  31a54c5118109afa7d5c7c465bb4d3b25c947284
- SHA256
  
  78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
- SHA512
  
  e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
- SSDEEP
  
  196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn
Score

10^/10

limerat quasar revengerat storage persistence rat spyware trojan
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratquasarrevengeratstoragepersistenceratspywaretrojan

behavioral2

limeratquasarstoragepersistenceratspywaretrojan

© 2018-2024

Terms | Privacy