limerat | 700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871

General

Target

700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe
Size

335KB
MD5

9268b0a4743de79dc5a13bbc110d7625
SHA1

3813eae8baea870a0b9865a8bd73100e6ec57b70
SHA256

700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871
SHA512

00631eb1b86c38850efc334d94bb78d3dd1259284386e9b28c04f2362db9554fece5e55492f01f6aa7fae1aa1c80c2974aba0b5fe93797dccdff2291b8363634
SSDEEP

6144:m+b24Srv5ztq9fq2OlioP8fZCbWpg505a:nbT8tg7OlioPWzpb

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1234
antivm
false
c2_url
https://pastebin.com/raw/0VLKT4kX
delay
3
download_payload
false
install
false
install_name
Windows Compatibility Assistant.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe

description	pid	Process	procid_target
PID 1348 set thread context of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4588	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exeRegAsm.exe

description	pid	Process
Token: SeDebugPrivilege	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe
Token: SeDebugPrivilege	4552	RegAsm.exe
Token: SeDebugPrivilege	4552	RegAsm.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.execmd.exe

description	pid	Process	procid_target
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 4552	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	87
PID 1348 wrote to memory of 3276	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	89
PID 1348 wrote to memory of 3276	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	89
PID 1348 wrote to memory of 3276	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	89
PID 1348 wrote to memory of 1272	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	91
PID 1348 wrote to memory of 1272	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	91
PID 1348 wrote to memory of 1272	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	91
PID 1348 wrote to memory of 5112	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	90
PID 1348 wrote to memory of 5112	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	90
PID 1348 wrote to memory of 5112	1348	700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe	90
PID 1272 wrote to memory of 4588	1272	cmd.exe	95
PID 1272 wrote to memory of 4588	1272	cmd.exe	95
PID 1272 wrote to memory of 4588	1272	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe
"C:\Users\Admin\AppData\Local\Temp\700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\UAC Control"
  2⤵
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\700043106c930b06fa9ea4a403ca0929bacb82e1c7bd6abaa522b3c207270871.exe" "C:\Users\Admin\AppData\Roaming\UAC Control\UAC Control.exe"
  2⤵
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\UAC Control\UAC Control.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nanias" /tr "'C:\Users\Admin\AppData\Roaming\UAC Control\UAC Control.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-133-0x0000000000E00000-0x0000000000E5A000-memory.dmp

Filesize
360KB

Download
memory/1348-134-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/1348-135-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1348-136-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/1348-137-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/1348-138-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

Filesize
40KB

Download
memory/1348-142-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4552-139-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4552-140-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/4552-141-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/4552-143-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads