limerat | d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49 | Triage

Submit
Reports

Overview

overview

Static

static

3

chr.exe

windows7-x64

chr.exe

windows10-2004-x64

Sharing

General

Target

chr.exe
Size

66KB
Sample

231120-rwq9csge69
MD5

50b2b692da0c363e301709a28b30afaf
SHA1

098e00413ba405bcc72b71a5869c2d151e93448a
SHA256

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
SHA512

d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
SSDEEP

1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

chr.exe

Resource

win7-20231025-en

limerat xworm persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

chr.exe

Resource

win10v2004-20231023-en

limerat xworm microsoft persistence phishing rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Targets

- Target
  
  chr.exe
- Size
  
  66KB
- MD5
  
  50b2b692da0c363e301709a28b30afaf
- SHA1
  
  098e00413ba405bcc72b71a5869c2d151e93448a
- SHA256
  
  d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
- SHA512
  
  d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
- SSDEEP
  
  1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Score

10^/10

limerat xworm persistence rat trojan microsoft phishing
- Detect Xworm Payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

limeratxwormpersistencerattrojan

behavioral2

limeratxwormmicrosoftpersistencephishingrattrojan

© 2018-2024

Terms | Privacy