General
-
Target
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe
-
Size
1.5MB
-
Sample
230903-leew4shb97
-
MD5
4c6675bcb4996241e68fd4ac2fad45c2
-
SHA1
e62124ae24bc980199900e5a7c392191882118cc
-
SHA256
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
-
SHA512
bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
-
SSDEEP
24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9
Static task
static1
Behavioral task
behavioral1
Sample
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe
Resource
win10v2004-20230831-en
Malware Config
Extracted
limerat
1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv
-
aes_key
NYANCAT
-
antivm
false
-
c2_url
https://pastebin.com/raw/LJe9sUk5
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/LJe9sUk5
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b_JC.exe
-
Size
1.5MB
-
MD5
4c6675bcb4996241e68fd4ac2fad45c2
-
SHA1
e62124ae24bc980199900e5a7c392191882118cc
-
SHA256
1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
-
SHA512
bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
-
SSDEEP
24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9
Score10/10-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1