limerat | c9e34cc1c82394737d68098efcbd4c4f895fb4ecd7caa3d75e8b749e914412d8

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2023 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe
Size

268KB
MD5

9ccac05dc35bc350756b65e44e55f3de
SHA1

5e296e9c4afd0bdf887b8d49c3e42bf31127cdcd
SHA256

22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca
SHA512

7a9aa256f3855088d39d0d0ebe4ba8fc4734bf2336d3a57cefceb240727b4fbbd159ee01c7da36216130c718c5dc1cda39608bacc5bc1a402a0680d7e67a80b6
SSDEEP

6144:iwKBnr5DNGAEvdl4I3FOobfrBkx9V48FpJh8uildXT/s4u:iw6dNGxvv4I3FOoXY1FNenf

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
dorkis
antivm
true
c2_url
https://pastebin.com/raw/RPvdzvf9
delay
3
download_payload
false
install
true
install_name
Lol.exe
main_folder
AppData
pin_spread
true
sub_folder
\Discrd\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	RAT_LIME.EXE

Executes dropped EXE 3 IoCs

pid	Process
4472	LIME-CRYPTER.EXE
2160	RAT_LIME.EXE
4780	Lol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EXE Obf = "C:\\Users\\Admin\\AppData\\Roaming\\EXE\\EXE Obf.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 656 set thread context of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LIME-CRYPTER.EXE	RegAsm.exe
File created	C:\Program Files (x86)\RAT_LIME.EXE	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4588	powershell.exe
4588	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	4780	Lol.exe
Token: SeDebugPrivilege	4780	Lol.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 656 wrote to memory of 4588	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	88
PID 656 wrote to memory of 4588	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	88
PID 656 wrote to memory of 4588	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	88
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 656 wrote to memory of 4776	656	22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe	90
PID 4776 wrote to memory of 4472	4776	RegAsm.exe	91
PID 4776 wrote to memory of 4472	4776	RegAsm.exe	91
PID 4776 wrote to memory of 4472	4776	RegAsm.exe	91
PID 4776 wrote to memory of 2160	4776	RegAsm.exe	92
PID 4776 wrote to memory of 2160	4776	RegAsm.exe	92
PID 4776 wrote to memory of 2160	4776	RegAsm.exe	92
PID 2160 wrote to memory of 1508	2160	RAT_LIME.EXE	93
PID 2160 wrote to memory of 1508	2160	RAT_LIME.EXE	93
PID 2160 wrote to memory of 1508	2160	RAT_LIME.EXE	93
PID 2160 wrote to memory of 4780	2160	RAT_LIME.EXE	95
PID 2160 wrote to memory of 4780	2160	RAT_LIME.EXE	95
PID 2160 wrote to memory of 4780	2160	RAT_LIME.EXE	95

C:\Users\Admin\AppData\Local\Temp\22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe
"C:\Users\Admin\AppData\Local\Temp\22d0bc93d63a3ae7371628d0a59fe79bfa6cdcf37bb7643c80a998ed5540a6ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'EXE Obf';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'EXE Obf' -Value '"C:\Users\Admin\AppData\Roaming\EXE\EXE Obf.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Program Files (x86)\LIME-CRYPTER.EXE
    "C:\Program Files (x86)\LIME-CRYPTER.EXE"
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Program Files (x86)\RAT_LIME.EXE
    "C:\Program Files (x86)\RAT_LIME.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe'"
      4⤵
      Creates scheduled task(s)
      PID:1508
  - - C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe
      "C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
C:\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
C:\Program Files (x86)\LIME-CRYPTER.EXE

Filesize
167KB

MD5
58ab7b9531186d0a8b5863410ac04fd5

SHA1
7a73cfba5e4a4f997f8627a937e4e72543fc47c9

SHA256
aaed720186b8f320d1c1f95637157c99c714ae21e496112e282eb110cb53acf8

SHA512
25b94924fa64b1333591e1581cdde4ed5ac59e1155b1a7a2741a87528e312238c5f8de6482b53ae7d3481e6a30e660fc2c5416bbbf6731c350e74f48b903ab70

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Program Files (x86)\RAT_LIME.EXE

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rd0jahn2.thy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
C:\Users\Admin\AppData\Roaming\Discrd\Lol.exe

Filesize
28KB

MD5
5ef74fe6b282b5cd3585eb275a064bc2

SHA1
c37020951ad39d9ee03aba6c5f59af2a14d7a6a2

SHA256
1b1e7ddd338756c95cbe0e05241230f32c0341cba76dad9042777a23971694ae

SHA512
8d12d5293c1b4918984417f2d79658d001bb47f0e71bf04a5e2efa55033c02a89438b57929087d4dd1683151fc2c534841ec5851b9f74dd5270f4608c98ca110

Download Submit
memory/656-140-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/656-141-0x0000000004EC0000-0x0000000004EDE000-memory.dmp

Filesize
120KB

Download
memory/656-135-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/656-136-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/656-134-0x0000000000180000-0x00000000001CA000-memory.dmp

Filesize
296KB

Download
memory/656-137-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/656-138-0x0000000004DC0000-0x0000000004E36000-memory.dmp

Filesize
472KB

Download
memory/656-139-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/2160-188-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/2160-187-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

Filesize
48KB

Download
memory/2160-195-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/4472-185-0x0000000000C10000-0x0000000000C40000-memory.dmp

Filesize
192KB

Download
memory/4472-207-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4472-189-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4472-190-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4472-209-0x0000000005790000-0x00000000057A0000-memory.dmp

Filesize
64KB

Download
memory/4588-191-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4588-192-0x00000000075D0000-0x0000000007666000-memory.dmp

Filesize
600KB

Download
memory/4588-145-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/4588-186-0x0000000006670000-0x000000000668E000-memory.dmp

Filesize
120KB

Download
memory/4588-155-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4588-154-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/4588-153-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/4588-151-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4588-152-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4588-161-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4588-193-0x0000000006B60000-0x0000000006B7A000-memory.dmp

Filesize
104KB

Download
memory/4588-194-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/4776-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4776-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-208-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4780-210-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download