General

  • Target

    1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe

  • Size

    1.5MB

  • Sample

    230903-leew4shb97

  • MD5

    4c6675bcb4996241e68fd4ac2fad45c2

  • SHA1

    e62124ae24bc980199900e5a7c392191882118cc

  • SHA256

    1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b

  • SHA512

    bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9

  • SSDEEP

    24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe

    • Size

      1.5MB

    • MD5

      4c6675bcb4996241e68fd4ac2fad45c2

    • SHA1

      e62124ae24bc980199900e5a7c392191882118cc

    • SHA256

      1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b

    • SHA512

      bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9

    • SSDEEP

      24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks