limerat | 269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

Resubmissions

24-08-2023 17:14

230824-vr7mbseb56 10

24-08-2023 17:09

230824-vn81zsfg21 10

Analysis

max time kernel
179s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2023 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-Client.exe
Size

28KB
MD5

19d3bedf1ee8ae14fa8b095f3409cc11
SHA1

47ec9ed3a4043721cbe3e5758b5298090bec214d
SHA256

269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d
SHA512

df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8
SSDEEP

384:0y+Sbj6NKQhW6dNAHN0s1qDIp6al2ra0JEvDKNrCeJE3WNgQavhGACeLQro3lcGJ:BpQ86dNwN56E2ra0Jq45NcZJRj

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
65AF55741941
antivm
false
c2_url
https://pastebin.com/raw/aEid41SM
delay
3
download_payload
false
install
true
install_name
Wservices.exe
main_folder
AppData
pin_spread
true
sub_folder
\pencil\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
264	Wservices.exe

Loads dropped DLL 4 IoCs

pid	Process
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe
264	Wservices.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	Wservices.exe
Token: SeDebugPrivilege	264	Wservices.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 2576	4564	New-Client.exe	88
PID 4564 wrote to memory of 2576	4564	New-Client.exe	88
PID 4564 wrote to memory of 2576	4564	New-Client.exe	88
PID 4564 wrote to memory of 264	4564	New-Client.exe	90
PID 4564 wrote to memory of 264	4564	New-Client.exe	90
PID 4564 wrote to memory of 264	4564	New-Client.exe	90
PID 264 wrote to memory of 2936	264	Wservices.exe	95
PID 264 wrote to memory of 2936	264	Wservices.exe	95
PID 264 wrote to memory of 2936	264	Wservices.exe	95
PID 2936 wrote to memory of 4428	2936	vbc.exe	97
PID 2936 wrote to memory of 4428	2936	vbc.exe	97
PID 2936 wrote to memory of 4428	2936	vbc.exe	97
PID 264 wrote to memory of 3528	264	Wservices.exe	99
PID 264 wrote to memory of 3528	264	Wservices.exe	99
PID 264 wrote to memory of 3528	264	Wservices.exe	99
PID 3528 wrote to memory of 2968	3528	vbc.exe	100
PID 3528 wrote to memory of 2968	3528	vbc.exe	100
PID 3528 wrote to memory of 2968	3528	vbc.exe	100

C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2576
- C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hitxl9xl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA491E781C2174D59933D0ED587143E.TMP"
      4⤵
      PID:4428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ltgx_0pi.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc95BAB19FF8CF4B79BA30407AB7B6E9AD.TMP"
      4⤵
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3DE.tmp

Filesize
5KB

MD5
922fcae1e7d3fe5aabe01830ce82c0c4

SHA1
a53198275d050a9b4cc1c31f646fd3d6a0e5a67e

SHA256
9f3e3092a2cc63ca2fc68708632bcba1b35e4475b1b22e4100f6bf1cf97d77df

SHA512
c1457636d637fb3bffe6460e1f07e5878a8892fb993ef218541f076f4a20ee2662b88c17e6641ac953b0ec1bb2b77c670d670fca1cad3694bc202025f5a48268

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4B9.tmp

Filesize
5KB

MD5
b2cc7bb4b736ccd1e703dfe165979d19

SHA1
d0efb26203dc28dac851147af74322ece3691dd1

SHA256
83cfdd93232de2272f6faf102b6446b501088085b9565502516860c2c0a7aeba

SHA512
4480d7979c7526a35e575e4e73ac2cb6d0de5863017c91ce0ac670bd701f60f0de124515613fc0ec984836386ccea11382e002cf7ff823f5c1c12a47ccf0d91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitxl9xl.0.vb

Filesize
231B

MD5
69ad8ccc57c451b664da10d555b92127

SHA1
ad4e6f6d2e640ae2b0affdd1376dd121a04677af

SHA256
d4bc36e908f18b1cedf34626b16befe061bdb811bb3e6b350d474aaf0662659c

SHA512
75239c2d1946d2d3324768f3097202b33ad1b297ef5d7f4192e33ef62dbed128357b99dd23f7fb776d11b4061437f86e321af395a483311b6ad186fe3390b804

Download Submit
C:\Users\Admin\AppData\Local\Temp\hitxl9xl.cmdline

Filesize
273B

MD5
f51d501dbb7d014bdf1e58524fb2bd58

SHA1
4ad16d9093e6d24e768cbd51873d67afb28a213d

SHA256
9618f7f59a941360dcc4e2af76d727ff155ba988a831c51243d700826349eede

SHA512
fb7c9f2d9267c0df478421f9768d12a568f010ce70c0a9a057f5f7c32cf73cd228a520658f9218bbe4668a4e0b010558dadd313f29e2b06072a78255f5f0d7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltgx_0pi.0.vb

Filesize
238B

MD5
48873aa0ff981f916269e9193275a468

SHA1
f645474c4496f81c47471ed88a23451a0453af23

SHA256
0ce3b612b7b38b63717ad8a924f292d750a49db5b722b9f52dd6ddb16e06baeb

SHA512
cc87d70208add2b818bd3287484c88dccdaa2bdfcdacb900e88565f82ebad956784e4ab4fe2eb6bc3f7faf10fbbee27915c2057e54bc58984391e5a3394f4c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltgx_0pi.cmdline

Filesize
286B

MD5
60fa9c2e35eca20413c4dde602151f91

SHA1
b4faf49ef759eb7d1c4a6271eb7fc192e7059af8

SHA256
8cc7d82b7f009aa51e924f666f686ae34cfd03be1763a4cd842757ee3c73f5e7

SHA512
ce50c801d286323ecc9d6e7bddf469f9821eb0b8edd84d45fe6bf14b99f1ebe925ff682359bd5df85a8b105b2ca4c050302ea7ac6dec339123cea29533ec5683

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc95BAB19FF8CF4B79BA30407AB7B6E9AD.TMP

Filesize
4KB

MD5
4162c05f88e8459f843325fddd58b73d

SHA1
585a582f7c4d9b218d68ca18d6cf46801b1db4fe

SHA256
3ffa4819f285544e028ad56d2ade2bf07599d569bb925812a0566deea7ae17fc

SHA512
cc2d732fe8f925df5d9c03b5f237dcbb5c9ca93d0878b2b29bbc635e9daec32a460e45510088831fd3e00015e01649df2b378db4a982f536cd1f1beabc102af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA491E781C2174D59933D0ED587143E.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\MicrosoftEdge.ico

Filesize
4KB

MD5
dfe08c8c6e8e1142309ac81d3ea765ec

SHA1
da81d0b263ca62dcc2deab48835cf1dc1e8dac0a

SHA256
04d17515c60ac7ec901b27e116fd1a965f529dcb20b3609df5b3cb58cff8e456

SHA512
2b4f91df4b9a75df3e7fc50733b795adaafc4d8ae323339fbb9a38309c6898a6b877f6fa6a2cb476f661d80a5f1969b284deef5c0a4439b221ddd8750bb102ef

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
C:\Users\Admin\AppData\Roaming\pencil\Wservices.exe

Filesize
28KB

MD5
19d3bedf1ee8ae14fa8b095f3409cc11

SHA1
47ec9ed3a4043721cbe3e5758b5298090bec214d

SHA256
269dc2b37169735ee126b0f15a4948a642d6c4b5b45ccda620e206cc72c6047d

SHA512
df199215a55b1dd0093a365b2397a6afffcd9897ed7560de69bd917fabe02668998c12339e14c619a3d4389e83b90da54ec0c48896be4ae80d66182832a650a8

Download Submit
memory/264-15-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/264-20-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/264-16-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/264-19-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/264-18-0x0000000001920000-0x0000000001930000-memory.dmp

Filesize
64KB

Download
memory/264-14-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/264-17-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/2936-37-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/3528-54-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/4564-12-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-13-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-0-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download
memory/4564-2-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4564-1-0x0000000074B20000-0x00000000750D1000-memory.dmp

Filesize
5.7MB

Download