limerat | 50e243b9f1481a581e8e8c2a5101f3ef43253adb873bb7c6ca4eb1ce3c7e9d61 | Triage

Submit
Reports

Overview

overview

Static

static

5

78973c8f95...66.exe

windows7-x64

78973c8f95...66.exe

windows10-2004-x64

Sharing

General

Target

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.zip
Size

12.3MB
Sample

230321-rz1xzadc8s
MD5

cf4432a361e609f331ae214a4c7712bb
SHA1

ec64a4b815c26c08743be395b797507722246ccb
SHA256

50e243b9f1481a581e8e8c2a5101f3ef43253adb873bb7c6ca4eb1ce3c7e9d61
SHA512

f5748f15b6b9e98b92fc58a9f3ec5e336777b863cc3de49bec3dce4dcb66c18a4a0e7de28c3abe663be62417ac3262265ab67e8c8c9493c5ebfee00d101a2176
SSDEEP

196608:jckxANxAtW8oV4DW8/QjGjzCHElOhL8SLdRy8EJwiPxS2bwtoyxH7X7oMNXP37Tj:9xkutmMW8/b/OL8MrLN8f837oMNXPTn

Score

10^/10

limerat quasar storage persistence rat spyware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Resource

win7-20230220-en

limerat quasar storage persistence rat spyware trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe

Resource

win10v2004-20230220-en

limerat quasar storage persistence rat spyware trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

storage

C2

xmarvel.ddns.net:4782

2.58.56.188:4782

Mutex

Slbw7KtgA7WecQEqcR

Attributes

encryption_key
BTg0dEybEXwn6MM90CP2
install_name
ccleaner.exe
log_directory
windowfirewalls
reconnect_delay
1
startup_key
windowsfirewall.msc
subdirectory
windowsfirewall

Extracted

Family

limerat

Wallets

13WHQ6XEobZYNAjHZPJHkDuzMS8TpgkRqm

Attributes

aes_key
key
antivm
true
c2_url
https://pastebin.com/raw/nW4J6TiP
delay
3
download_payload
false
install
true
install_name
windowsdefender.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

quasar

Attributes

reconnect_delay
1

Targets

- Target
  
  78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66.exe
- Size
  
  12.9MB
- MD5
  
  a364b35d4dbdcf328367df843a6286c1
- SHA1
  
  31a54c5118109afa7d5c7c465bb4d3b25c947284
- SHA256
  
  78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
- SHA512
  
  e0687836489ea4cf25fb2b58105a46666a46a447acd01e291a5646928a12e469031f2936087cded0e7eee869cb6e71784c588cd61812387073ba4d0b637c6826
- SSDEEP
  
  196608:Lg+Aalc1yGZIh6L5iYl/dsy+7d3tFELLs1cAm6f971YAmX1ZK1vauo9Dn:Lgsl5hef1k7ptmQbm6fnmlZsoRn
Score

10^/10

limerat quasar storage persistence rat spyware trojan
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratquasarstoragepersistenceratspywaretrojan

behavioral2

limeratquasarstoragepersistenceratspywaretrojan

© 2018-2024

Terms | Privacy