limerat | c9e34cc1c82394737d68098efcbd4c4f895fb4ecd7caa3d75e8b749e914412d8

Analysis

max time kernel
128s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-06-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe
Size

268KB
MD5

9ccac05dc35bc350756b65e44e55f3de
SHA1

5e296e9c4afd0bdf887b8d49c3e42bf31127cdcd
SHA256

22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca
SHA512

7a9aa256f3855088d39d0d0ebe4ba8fc4734bf2336d3a57cefceb240727b4fbbd159ee01c7da36216130c718c5dc1cda39608bacc5bc1a402a0680d7e67a80b6
SSDEEP

6144:iwKBnr5DNGAEvdl4I3FOobfrBkx9V48FpJh8uildXT/s4u:iw6dNGxvv4I3FOoXY1FNenf

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
dorkis
antivm
true
c2_url
https://pastebin.com/raw/RPvdzvf9
delay
3
download_payload
false
install
true
install_name
Lol.exe
main_folder
AppData
pin_spread
true
sub_folder
\Discrd\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 3 IoCs

pid	Process
1300	LIME-CRYPTER.EXE
556	RAT_LIME.EXE
920	Lol.exe

Loads dropped DLL 5 IoCs

pid	Process
1348	RegAsm.exe
1348	RegAsm.exe
1348	RegAsm.exe
556	RAT_LIME.EXE
556	RAT_LIME.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\EXE Obf = "C:\\Users\\Admin\\AppData\\Roaming\\EXE\\EXE Obf.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LIME-CRYPTER.EXE	RegAsm.exe
File created	C:\Program Files (x86)\RAT_LIME.EXE	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2016	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Lol.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Lol.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1780	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	920	Lol.exe
Token: SeDebugPrivilege	920	Lol.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1780	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	28
PID 2044 wrote to memory of 1780	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	28
PID 2044 wrote to memory of 1780	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	28
PID 2044 wrote to memory of 1780	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	28
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 2044 wrote to memory of 1348	2044	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	30
PID 1348 wrote to memory of 1300	1348	RegAsm.exe	31
PID 1348 wrote to memory of 1300	1348	RegAsm.exe	31
PID 1348 wrote to memory of 1300	1348	RegAsm.exe	31
PID 1348 wrote to memory of 1300	1348	RegAsm.exe	31
PID 1348 wrote to memory of 556	1348	RegAsm.exe	32
PID 1348 wrote to memory of 556	1348	RegAsm.exe	32
PID 1348 wrote to memory of 556	1348	RegAsm.exe	32
PID 1348 wrote to memory of 556	1348	RegAsm.exe	32
PID 556 wrote to memory of 2016	556	RAT_LIME.EXE	34
PID 556 wrote to memory of 2016	556	RAT_LIME.EXE	34
PID 556 wrote to memory of 2016	556	RAT_LIME.EXE	34
PID 556 wrote to memory of 2016	556	RAT_LIME.EXE	34
PID 556 wrote to memory of 920	556	RAT_LIME.EXE	36
PID 556 wrote to memory of 920	556	RAT_LIME.EXE	36
PID 556 wrote to memory of 920	556	RAT_LIME.EXE	36
PID 556 wrote to memory of 920	556	RAT_LIME.EXE	36

C:\Users\Admin\AppData\Local\Temp\22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe
"C:\Users\Admin\AppData\Local\Temp\22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'EXE Obf';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'EXE Obf' -Value '"C:\Users\Admin\AppData\Roaming\EXE\EXE Obf.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Program Files (x86)\LIME-CRYPTER.EXE
    "C:\Program Files (x86)\LIME-CRYPTER.EXE"
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Program Files (x86)\RAT_LIME.EXE
    "C:\Program Files (x86)\RAT_LIME.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe'"
      4⤵
      Creates scheduled task(s)
      PID:2016
  - - C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe
      "C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
C:\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
memory/556-89-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/920-106-0x00000000001A0000-0x00000000001AC000-memory.dmp

Filesize
48KB

Download
memory/920-107-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/920-109-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1300-95-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1300-92-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1300-108-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1300-86-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/1348-62-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1348-68-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1348-66-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-94-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/1780-93-0x0000000002450000-0x0000000002490000-memory.dmp

Filesize
256KB

Download
memory/2044-54-0x00000000001E0000-0x000000000022A000-memory.dmp

Filesize
296KB

Download
memory/2044-57-0x0000000001E90000-0x0000000001ED8000-memory.dmp

Filesize
288KB

Download
memory/2044-56-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2044-55-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download