Overview

overview

10

Static

static

10

50-Crackin...1).zip

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    50-Cracking-Tools-All-The-Tools-You-Need-To-Crack (1).zip

  • Size

    406.5MB

  • Sample

    230508-tvhxpsdc9t

  • MD5

    f49ef0b6658440036ef1290a8a4a93c2

  • SHA1

    61a6b9a9a7a6f277ef8258eb47bb25d2299d5b9f

  • SHA256

    d212d98ac141ce9579cdfeec15b6bb1dd4f7ed22d4d46b45396b7461fd3de667

  • SHA512

    59901a2f2958486683901c12bfadbd0821c70a66996e56da35b947ba2ac6f56338ce0c676fdc825121cad8e5a27f46a8ace2b1308971167339ca7542f5cadf09

  • SSDEEP

    12582912:9kQFD6JAOy27P+hill4Yz/3EJer+k8VsdStWBFdBINx7gtLA8behAsBjH+tKi/PJ:aB+kTdSM9BgmRfdf

Score
10/10
limeratneshtasnakebotxwormagilenetaspackv2evasionpersistencepyinstallersnakebotspywarestealerthemidatrojanvmprotect

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    blunts

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/1NRAsuVh

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    FortniteAimbotESP.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Targets

    • Target

      50-Cracking-Tools-All-The-Tools-You-Need-To-Crack (1).zip

    • Size

      406.5MB

    • MD5

      f49ef0b6658440036ef1290a8a4a93c2

    • SHA1

      61a6b9a9a7a6f277ef8258eb47bb25d2299d5b9f

    • SHA256

      d212d98ac141ce9579cdfeec15b6bb1dd4f7ed22d4d46b45396b7461fd3de667

    • SHA512

      59901a2f2958486683901c12bfadbd0821c70a66996e56da35b947ba2ac6f56338ce0c676fdc825121cad8e5a27f46a8ace2b1308971167339ca7542f5cadf09

    • SSDEEP

      12582912:9kQFD6JAOy27P+hill4Yz/3EJer+k8VsdStWBFdBINx7gtLA8behAsBjH+tKi/PJ:aB+kTdSM9BgmRfdf

    Score
    10/10
    neshtaevasionpersistencespywarestealerthemidatrojan

    • Detect Neshta payload

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks