limerat | e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

General

Target

Dorksearchergoldcleaned.exe
Size

24KB
MD5

d2cafbe0dee8df78fa2928c5d3f54431
SHA1

bb9e7210d46f983c99e983042ef69c1483354a43
SHA256

e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d
SHA512

41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043
SSDEEP

384:v0eG+mRytj6nmBSwinqm9JmcpCd9vDuNrCeJEomNc+ro3lcbzdYDWn:JjDSwinhJmcpakeN24ZYI

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1Jyrji1JwM6wcv9w6E7GWRUfBt8VyAu6g1

Attributes

aes_key
elprofessor
antivm
true
c2_url
https://pastebin.com/raw/H6K0uUqr
delay
3
download_payload
true
install
true
install_name
Dork searcher gold.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
1776	Dork searcher gold.exe

Loads dropped DLL 2 IoCs

pid	Process
1548	Dorksearchergoldcleaned.exe
1548	Dorksearchergoldcleaned.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Dorksearchergoldcleaned.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Dorksearchergoldcleaned.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Dork searcher gold.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	Dork searcher gold.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1716	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	Dork searcher gold.exe
Token: SeDebugPrivilege	1776	Dork searcher gold.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1716	1548	Dorksearchergoldcleaned.exe	28
PID 1548 wrote to memory of 1716	1548	Dorksearchergoldcleaned.exe	28
PID 1548 wrote to memory of 1716	1548	Dorksearchergoldcleaned.exe	28
PID 1548 wrote to memory of 1716	1548	Dorksearchergoldcleaned.exe	28
PID 1548 wrote to memory of 1776	1548	Dorksearchergoldcleaned.exe	30
PID 1548 wrote to memory of 1776	1548	Dorksearchergoldcleaned.exe	30
PID 1548 wrote to memory of 1776	1548	Dorksearchergoldcleaned.exe	30
PID 1548 wrote to memory of 1776	1548	Dorksearchergoldcleaned.exe	30

C:\Users\Admin\AppData\Local\Temp\Dorksearchergoldcleaned.exe
"C:\Users\Admin\AppData\Local\Temp\Dorksearchergoldcleaned.exe"
1⤵
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe
  "C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe"
  2⤵
  - Executes dropped EXE
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe

Filesize
24KB

MD5
d2cafbe0dee8df78fa2928c5d3f54431

SHA1
bb9e7210d46f983c99e983042ef69c1483354a43

SHA256
e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

SHA512
41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043

Download Submit
C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe

Filesize
24KB

MD5
d2cafbe0dee8df78fa2928c5d3f54431

SHA1
bb9e7210d46f983c99e983042ef69c1483354a43

SHA256
e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

SHA512
41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043

Download Submit
C:\Users\Admin\AppData\Roaming\Dork searcher gold.exe

Filesize
24KB

MD5
d2cafbe0dee8df78fa2928c5d3f54431

SHA1
bb9e7210d46f983c99e983042ef69c1483354a43

SHA256
e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

SHA512
41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043

Download Submit
\Users\Admin\AppData\Roaming\Dork searcher gold.exe

Filesize
24KB

MD5
d2cafbe0dee8df78fa2928c5d3f54431

SHA1
bb9e7210d46f983c99e983042ef69c1483354a43

SHA256
e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

SHA512
41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043

Download Submit
\Users\Admin\AppData\Roaming\Dork searcher gold.exe

Filesize
24KB

MD5
d2cafbe0dee8df78fa2928c5d3f54431

SHA1
bb9e7210d46f983c99e983042ef69c1483354a43

SHA256
e47ebff8db8445fac5e5cfa3a9cf5f3543907ac8d47066a2cbd80c00be10749d

SHA512
41f109e151e13bcb75820beb19686c95314a958dd16da63a4b3d0e6a8b722644a7b074d57b81b84be723fed5515b7b5912107633944b5158886f4eca6a825043

Download Submit
memory/1548-54-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/1776-65-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1776-66-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download
memory/1776-67-0x0000000004DB0000-0x0000000004DF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads