limerat | 9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2.exe
Size

28KB
MD5

ebee4feab38455ef71c85f620860024b
SHA1

507e6b0e19b4a74709cd2e568429636f75ebf100
SHA256

9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2
SHA512

a14adc602194f133a5e9b928c231da2d1babf08bad397ae687766ef4225ed1ba974803d7e0bd276d188a8975bc43a80f11180c24ea524d3ad41d9a47a507adca
SSDEEP

384:zB+Sbj6NKOh269tAHN2weOqD6gPy7yVvDKNrCeJE3WNga2V7zNostmIFQro3lcu4:9pOc69twNVg67yl45NP2V7zHmmbEj

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1C8iMa4qE4AKMstVq5ToMswT8ZUgT7eTnH

Attributes

aes_key
lim
antivm
true
c2_url
https://pastebin.com/raw/R2nB6NU0
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2.exe
Token: SeDebugPrivilege	2200	9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2.exe

C:\Users\Admin\AppData\Local\Temp\9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2.exe
"C:\Users\Admin\AppData\Local\Temp\9ed684c16d180e8fad345ad752c38d982c4bd87852ce36bf22ba881b4d9521f2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-133-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2200-134-0x0000000005660000-0x00000000056FC000-memory.dmp

Filesize
624KB

Download
memory/2200-135-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2200-136-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/2200-137-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download
memory/2200-138-0x00000000069C0000-0x0000000006A52000-memory.dmp

Filesize
584KB

Download
memory/2200-139-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download