Overview

overview

10

Static

static

10

New-Client.exe

windows7-x64

10

New-Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    168s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2023 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New-Client.exe

  • Size

    28KB

  • MD5

    8fd93bad82a49824862558c9871d1708

  • SHA1

    4b73f9226879636841557a77099d879951da1957

  • SHA256

    a408402de01a362f79a9a1676ca13407756a7c0fd3b39497bae20374da34a066

  • SHA512

    9742473f7c8d90af1b2421f7e3a7e3160976728611fbd1fd2a4dd82882880e85718b051ea854386dab704fae223e77caca855caf9514acc019590761382caabd

  • SSDEEP

    384:lB+Sbj6NKNJVM6phAHNuQwxqDHju9HvDKNrCeJE3WNg230dZriQro3lcqhf0ysjr:fpNzM6phwNyYju9P45NnBcj

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    FFj+YDsYUMU0LHX0zcAU+w==

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/DDTVwwbu

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2032

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2032-133-0x0000000000B80000-0x0000000000B8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2032-134-0x00000000054E0000-0x000000000557C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2032-135-0x0000000005580000-0x00000000055E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2032-136-0x0000000005620000-0x0000000005630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2032-137-0x00000000061A0000-0x0000000006744000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2032-138-0x0000000005620000-0x0000000005630000-memory.dmp

    Filesize

    64KB

    Download