limerat | b8bd1f2001371580a5d4ec4ede4878a2fd564a349e0cf66422bba7f0870e4f22

Analysis

max time kernel
149s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84890393814f5b5f09d7f41d6f0a90d6.exe
Size

276KB
MD5

84890393814f5b5f09d7f41d6f0a90d6
SHA1

9718f38173cb56d3ea7b2bf5893c61bc77810efd
SHA256

b8bd1f2001371580a5d4ec4ede4878a2fd564a349e0cf66422bba7f0870e4f22
SHA512

2d5e149035f731af62b9a7cc69a039a4b620e639e994b027e1b90e74a65cd5adc4a6fa0e8e351c09257b09d619d9523a9833925bbf929f2d4e2bfa748d96d50e
SSDEEP

3072:x+CCSpjGZodtSu2XkePqH1A0feINRDpepu/VeprFUU5jpPPxhkjXlj:QbYjGCSuykaoXfKsVepaUVnfYX

Score

10^/10

limerat rat

Malware Config

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	84890393814f5b5f09d7f41d6f0a90d6.exe

Executes dropped EXE 1 IoCs

pid	Process
4080	Wservices.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4348	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	Wservices.exe
Token: SeDebugPrivilege	4080	Wservices.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4348	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	95
PID 2444 wrote to memory of 4348	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	95
PID 2444 wrote to memory of 4348	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	95
PID 2444 wrote to memory of 4080	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	99
PID 2444 wrote to memory of 4080	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	99
PID 2444 wrote to memory of 4080	2444	84890393814f5b5f09d7f41d6f0a90d6.exe	99

C:\Users\Admin\AppData\Local\Temp\84890393814f5b5f09d7f41d6f0a90d6.exe
"C:\Users\Admin\AppData\Local\Temp\84890393814f5b5f09d7f41d6f0a90d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Wservices.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:4348
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\Wservices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
276KB

MD5
84890393814f5b5f09d7f41d6f0a90d6

SHA1
9718f38173cb56d3ea7b2bf5893c61bc77810efd

SHA256
b8bd1f2001371580a5d4ec4ede4878a2fd564a349e0cf66422bba7f0870e4f22

SHA512
2d5e149035f731af62b9a7cc69a039a4b620e639e994b027e1b90e74a65cd5adc4a6fa0e8e351c09257b09d619d9523a9833925bbf929f2d4e2bfa748d96d50e

Download Submit
C:\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
157KB

MD5
f3cdb6b238b2642751cba255fc4f2f0f

SHA1
f66641e86559c076a794afc6f32824680710e97c

SHA256
35544ba550df31ee028201e91f0f289a6345bc7715fbea452988b51f3a896933

SHA512
ec268dbcc54557874d35a35da9ec38f91ec7c30ff751d4d4bf71ca48b41ca23a866d0df8b55de266c4c786d184ab39cdbe47cc693b4f33163e22d3cf8c3c4228

Download Submit
memory/2444-3-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/2444-0-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2444-4-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/2444-5-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/2444-2-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/2444-1-0x0000000000940000-0x000000000098C000-memory.dmp

Filesize
304KB

Download
memory/2444-14-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2444-19-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2444-18-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4080-16-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4080-17-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/4080-20-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4080-21-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads