limerat | afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515

General

Target

80aabd5337136686aefe2ff1e6da8d5a.exe
Size

563KB
MD5

80aabd5337136686aefe2ff1e6da8d5a
SHA1

a749d303f5a928cff0d66ac23a704b90837ea0f9
SHA256

afd7b91be42e614fa8f3488f8cf2024b1a5b364c4b66c514fa86940b06c93515
SHA512

5472e503c6e18297efcac3cb0b78dd1c4798f6d60695bf738aba8cfdf42902a2b9d5fb0bf35503750efd6a31ea1cb0144fa07f3f31aeaaee8bd492c0a501fe5a
SSDEEP

12288:6V6zPygCa+DZjF1/A/ZMvGTsv+wD1IRJ+ZN1JBCGoOdnq1T:c6zPXCa+DZj3/SOvPGkZ13ox

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

False

Attributes

aes_key
admin12345$
antivm
false
c2_url
https://pastebin.com/raw/dd1yrjpH
download_payload
false
install
false
install_name
settings.exe
main_folder
False
payload_url
True
pin_spread
false
sub_folder
True
usb_spread
false

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/3428-0-0x0000015FF2BC0000-0x0000015FF2C52000-memory.dmp	disable_win_def
C:\ProgramData\Provisioning\settings.exe	disable_win_def
C:\ProgramData\Provisioning\settings.exe	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Drops file in Drivers directory 1 IoCs

Processes:

settings.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts settings.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	settings.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

80aabd5337136686aefe2ff1e6da8d5a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	80aabd5337136686aefe2ff1e6da8d5a.exe

Executes dropped EXE 1 IoCs

Processes:

settings.exe

pid process

884 settings.exe

pid	process
884	settings.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

80aabd5337136686aefe2ff1e6da8d5a.exesettings.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	80aabd5337136686aefe2ff1e6da8d5a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	80aabd5337136686aefe2ff1e6da8d5a.exe
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	settings.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2108 schtasks.exe
3312 schtasks.exe

pid	process
2108	schtasks.exe
3312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

80aabd5337136686aefe2ff1e6da8d5a.exesettings.exe

pid	process
3428	80aabd5337136686aefe2ff1e6da8d5a.exe
3428	80aabd5337136686aefe2ff1e6da8d5a.exe
3428	80aabd5337136686aefe2ff1e6da8d5a.exe
3428	80aabd5337136686aefe2ff1e6da8d5a.exe
884	settings.exe
884	settings.exe
884	settings.exe
884	settings.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

80aabd5337136686aefe2ff1e6da8d5a.exesettings.exe

description	pid	process
Token: SeDebugPrivilege	3428	80aabd5337136686aefe2ff1e6da8d5a.exe
Token: SeDebugPrivilege	884	settings.exe
Token: SeDebugPrivilege	884	settings.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

80aabd5337136686aefe2ff1e6da8d5a.execmd.exesettings.exe

description	pid	process	target process
PID 3428 wrote to memory of 2108	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	schtasks.exe
PID 3428 wrote to memory of 2108	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	schtasks.exe
PID 3428 wrote to memory of 4108	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	cmd.exe
PID 3428 wrote to memory of 4108	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	cmd.exe
PID 4108 wrote to memory of 3976	4108	cmd.exe	attrib.exe
PID 4108 wrote to memory of 3976	4108	cmd.exe	attrib.exe
PID 4108 wrote to memory of 4636	4108	cmd.exe	attrib.exe
PID 4108 wrote to memory of 4636	4108	cmd.exe	attrib.exe
PID 3428 wrote to memory of 884	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	settings.exe
PID 3428 wrote to memory of 884	3428	80aabd5337136686aefe2ff1e6da8d5a.exe	settings.exe
PID 884 wrote to memory of 3312	884	settings.exe	schtasks.exe
PID 884 wrote to memory of 3312	884	settings.exe	schtasks.exe
PID 884 wrote to memory of 1960	884	settings.exe	cmd.exe
PID 884 wrote to memory of 1960	884	settings.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

4636 attrib.exe
3976 attrib.exe
4776 attrib.exe
1400 attrib.exe

pid	process
4636	attrib.exe
3976	attrib.exe
4776	attrib.exe
1400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe
"C:\Users\Admin\AppData\Local\Temp\80aabd5337136686aefe2ff1e6da8d5a.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2108
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4108
- C:\ProgramData\Provisioning\settings.exe
  "C:\ProgramData\Provisioning\settings.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL LIMITED /tn UDMR /tr "'C:\ProgramData\Provisioning\settings.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:3312
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c attrib +H +S "C:\ProgramData\\Provisioning" & attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
    3⤵
    PID:1960
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\ProgramData\\Provisioning"
      4⤵
      Views/modifies file attributes
      PID:4776
  - - C:\Windows\system32\attrib.exe
      attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
      4⤵
      Views/modifies file attributes
      PID:1400

C:\Windows\system32\attrib.exe
attrib +H +S "C:\ProgramData\\Provisioning\*" /S /D
1⤵
- Views/modifies file attributes
PID:4636

C:\Windows\system32\attrib.exe
attrib +H +S "C:\ProgramData\\Provisioning"
1⤵
- Views/modifies file attributes
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Provisioning\settings.exe

Filesize
92KB

MD5
93bbebeefc61ec02ece36c5561ecfd47

SHA1
ead084d3d0c3a70b7191b1bc782b2c665d004947

SHA256
135f95a7e0bd58875d363b5d9bdf6aae2945acb45bc25cdcc3890e9d0137629e

SHA512
1bb44be21d29ec976a66ddae5a14d8fed0c0e8217f89790c60f883aee1cf649b56ba9fc651c06ecb90749a4745579acaccacc37c088d5cbc46d2de9d65cd5550

Download Submit
C:\ProgramData\Provisioning\settings.exe

Filesize
64KB

MD5
9842a57b5d1fe2853c1159951ca2ad29

SHA1
c4bc21d368ffab1ecb68209e41a08dc602940b75

SHA256
8cfb78fb7de9c01449943f0d4ba0295d37b790c5a07df0f2839cf1533dd51440

SHA512
a392a1c0ee06319fbb5f7af0ab1dca30b919256d2407352b27ef0bac3452b45c3d89a39231d299efce000bd04228830c6ed396ca0a51eeb1ee75e72c82447f6a

Download Submit
C:\Users\Admin\AppData\Roaming\LinkM\settings.exe.lnk

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/884-10-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download
memory/884-13-0x0000019157E00000-0x0000019157E10000-memory.dmp

Filesize
64KB

Download
memory/884-14-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download
memory/3428-0-0x0000015FF2BC0000-0x0000015FF2C52000-memory.dmp

Filesize
584KB

Download
memory/3428-1-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download
memory/3428-6-0x0000015FF52C0000-0x0000015FF52D0000-memory.dmp

Filesize
64KB

Download
memory/3428-9-0x00007FFFBF2C0000-0x00007FFFBFD81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads