limerat | 34c61248dd915a7a98ecbd9c2768f924560a22187ef8967c028d6497466b86a4

Analysis

max time kernel
47s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bb1da8969140aa7051ddda703293192.exe
Size

497KB
MD5

9bb1da8969140aa7051ddda703293192
SHA1

05e55309ff756dcfc7bd67fedaf96c6a82ead5a0
SHA256

34c61248dd915a7a98ecbd9c2768f924560a22187ef8967c028d6497466b86a4
SHA512

62ca279b4442959894075d68b75e8825238399603b3cb180aae2c5734837c6568a09e89f4a810b9c2c68db93c6cd610820cb58efa759b54ef715f569da5731c2
SSDEEP

6144:deNgRqCji5ZOLrw67cdNaVzkFXKaKc5+LGWXKfF6z/d9F48W46Nh9hx1A8RskdUO:dHqCm87iS/d348khf9uuoFi9QcA

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q5746qkzdr628cmq4swa02lpu2mk69t0pdxdgzs

Attributes

aes_key
Wealth1000$
antivm
false
c2_url
https://pastebin.com/raw/LF04hVta
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/968-7-0x0000000005510000-0x0000000005522000-memory.dmp	CustAttr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4500	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe
"C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe"
1⤵
PID:968
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAeDOVFrht" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe
  "C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe"
  2⤵
  PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9bb1da8969140aa7051ddda703293192.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF608.tmp

Filesize
1KB

MD5
d5230c9e3fe12d2ae0ebf417aee3290f

SHA1
303bbca08731e253ced88a4bcf0f5f80bda5127e

SHA256
6dd632e53cb67e2e177067f836b3e5fefa616f74d3633ded14baf195be6b04bd

SHA512
9d18c8992468021a27e644ff7030d32cd2a3ff0ee04cec67ba851e1d6a66c654eb3380ec84d9d9909f601b4b4cd9e05c695def52f4a37258cfd1ef0590903462

Download Submit
memory/968-11-0x00000000065D0000-0x00000000065DE000-memory.dmp

Filesize
56KB

Download
memory/968-10-0x00000000069E0000-0x0000000006A36000-memory.dmp

Filesize
344KB

Download
memory/968-6-0x0000000005180000-0x000000000521C000-memory.dmp

Filesize
624KB

Download
memory/968-4-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/968-3-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/968-7-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/968-8-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/968-9-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/968-0-0x00000000003D0000-0x0000000000452000-memory.dmp

Filesize
520KB

Download
memory/968-5-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/968-21-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/968-1-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/968-2-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4612-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4612-20-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4612-22-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/4612-23-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download
memory/4612-24-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/4612-25-0x0000000003070000-0x0000000003080000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads