Overview

overview

10

Static

static

1

UltraMaile...Ed.msi

windows7-x64

8

UltraMaile...Ed.msi

windows10-2004-x64

8

UltraMaile...up.exe

windows7-x64

10

UltraMaile...up.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    UltraMailer V3.5.rar

  • Size

    16.7MB

  • Sample

    230401-jnabwaab4z

  • MD5

    94b7efbff53eeded1479fd3018828e2b

  • SHA1

    f0138364cc4de8e706b7f16d0b3e0048c3c91233

  • SHA256

    4dd92b5181f82e852aaa58c9bdcb922b1bdfa08b2bec6b90df926f5fc341a36d

  • SHA512

    39cd7598e705ebcdef5fb33a377f3443353075b7cedc1bbb8e88f5dbde3ed57031b0f809501cee8e1a0f0d830044c7ec5da78880feae406410bd3529d14f9cc7

  • SSDEEP

    393216:GQp9F1i4CB4Xz8TQEmtOpPaMQlLnDT90+X7OXoGOVzUg7Y11grdW/6:GQp97ixWXEmQPvQHRX7ELOvtrM6

Score
10/10
limeratxmrigdiscoveryevasionminerratupx

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    4777

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/MVpsXzd1

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    wservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \/\

  • usb_spread

    true

Targets

    • Target

      UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/DHTMLEd [INSTALL THIS 1ST]/DhtmlEd.msi

    • Size

      345KB

    • MD5

      cdf797b7d8fae7406fe2a4894f15c8d3

    • SHA1

      0b04cf43e1abad1a617f1251fdeed47f736376c5

    • SHA256

      b610a81cdc5c1e3a19af235c9dc1ca0045bd8498689ffa2f8223acd5b34cfb24

    • SHA512

      318df6035ec361bd4da52cb2aaa9aac2822fd3ea75559369df598d57bcb1ffe125e07c5b3fcfb84dee4479dea3d9dbb36d8bec89a3b7cb2322e83f579ac0301e

    • SSDEEP

      6144:5edosggBGbLkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkM:4qspBGbLkkkkkkkkkkkkkkkkkkkkkkkb

    Score
    8/10

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      UltraMailer V3.5/UltraMailer V3.5 [CRAX.PRO]/setup.exe

    • Size

      16.4MB

    • MD5

      4b1351f8eab25240a16498ecb0eb6199

    • SHA1

      5f39a1a8e2fbde7b717676c0a1c9540fc3069e51

    • SHA256

      15f012b7f2103d7a21da10e0dc25e0f1b8a4b9e680b4c6f31503fac54f22aa30

    • SHA512

      a32f870e68ae3d1a93fcb85e58209eea15f9b94cc6716a207f3c84ac005d3a2e2578c95366b9f2215676b4bc14f18e2e2e367a7226d191eed418d3596157f164

    • SSDEEP

      393216:3Qp9F1i4CB4Xz8TQEmtOpPaMQlLnDT90+X7OXoGOVzUg7Y11grdW/:3Qp97ixWXEmQPvQHRX7ELOvtrM

    Score
    10/10
    limeratxmrigevasionminerratupxdiscovery

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Modifies security service

      evasion

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Stops running service(s)

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Enterprise v6

Tasks