limerat | 865f0c77242db6c8bc7853d56c80df25d0131978cc693fc2a05a392316cfc566

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromiumUpdateexeexeexeex.exe
Size

44KB
MD5

fda53976d89ab903557b9528cc2fb91d
SHA1

c42781c8328b1dbb70c3571fcadd9f674c5df333
SHA256

865f0c77242db6c8bc7853d56c80df25d0131978cc693fc2a05a392316cfc566
SHA512

7b7f0efd96a67026aea1661fee86358557b89d67ed8c96c9125a61958570e00e9cab2cc84950cdd8eb799cdc8e5f2cdc0d1c90da2b0c891920b700c203e44444
SSDEEP

768:TpYT6H3wjsG/YS445NoDamKOAZB6in1WjctC1iTIPYe:TpH3wj9/ZF8DHoBGgCuIP7

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qwycfayk08cnnj2ng0emn8yeek6hkdkdvue952a

Attributes

aes_key
vELKIjFPTOEs91pZ1LF+7gl6DaQq5z3kH6Q5FyFhRO8/6K8Xpl7YLTgTqwUttOW5
antivm
false
c2_url
https://pastebin.com/raw/DDTVwwbu
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ChromiumUpdateexeexeexeex.exe

description pid process

Token: SeDebugPrivilege 4100 ChromiumUpdateexeexeexeex.exe
Token: SeDebugPrivilege 4100 ChromiumUpdateexeexeexeex.exe

description	pid	process
Token: SeDebugPrivilege	4100	ChromiumUpdateexeexeexeex.exe
Token: SeDebugPrivilege	4100	ChromiumUpdateexeexeexeex.exe

C:\Users\Admin\AppData\Local\Temp\ChromiumUpdateexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ChromiumUpdateexeexeexeex.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4100-133-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/4100-134-0x0000000004C40000-0x0000000004CDC000-memory.dmp

Filesize
624KB

Download
memory/4100-135-0x0000000004BA0000-0x0000000004C06000-memory.dmp

Filesize
408KB

Download
memory/4100-136-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/4100-137-0x00000000058F0000-0x0000000005E94000-memory.dmp

Filesize
5.6MB

Download
memory/4100-138-0x0000000006180000-0x0000000006212000-memory.dmp

Filesize
584KB

Download
memory/4100-139-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download