General

  • Target

    1612E6BB0CCE702554B3DB27BF98C140772BC85DF30D2.exe

  • Size

    1.5MB

  • Sample

    230902-rsxlzadg72

  • MD5

    4c6675bcb4996241e68fd4ac2fad45c2

  • SHA1

    e62124ae24bc980199900e5a7c392191882118cc

  • SHA256

    1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b

  • SHA512

    bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9

  • SSDEEP

    24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      1612E6BB0CCE702554B3DB27BF98C140772BC85DF30D2.exe

    • Size

      1.5MB

    • MD5

      4c6675bcb4996241e68fd4ac2fad45c2

    • SHA1

      e62124ae24bc980199900e5a7c392191882118cc

    • SHA256

      1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b

    • SHA512

      bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9

    • SSDEEP

      24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.