limerat | 7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

General

Target

f998121d523426ed0afed3d21dfb0d69.exe
Size

380KB
MD5

f998121d523426ed0afed3d21dfb0d69
SHA1

fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7
SHA256

7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8
SHA512

c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0
SSDEEP

6144:V6C4vUQ2R02etDfet3Agp0q9ygbX+1RzDU8vTMpcvEF:V7Q002e1saMJcR/VbKcvi

Score

10^/10

limerat agilenet rat

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/tDBQY6gT
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
2524	Window Security Notification.exe

Loads dropped DLL 4 IoCs

pid	Process
2812	f998121d523426ed0afed3d21dfb0d69.exe
2812	f998121d523426ed0afed3d21dfb0d69.exe
2812	f998121d523426ed0afed3d21dfb0d69.exe
2524	Window Security Notification.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00070000000152c7-16.dat	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2204	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	Window Security Notification.exe
Token: SeDebugPrivilege	2524	Window Security Notification.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2204	2812	f998121d523426ed0afed3d21dfb0d69.exe	30
PID 2812 wrote to memory of 2204	2812	f998121d523426ed0afed3d21dfb0d69.exe	30
PID 2812 wrote to memory of 2204	2812	f998121d523426ed0afed3d21dfb0d69.exe	30
PID 2812 wrote to memory of 2204	2812	f998121d523426ed0afed3d21dfb0d69.exe	30
PID 2812 wrote to memory of 2524	2812	f998121d523426ed0afed3d21dfb0d69.exe	32
PID 2812 wrote to memory of 2524	2812	f998121d523426ed0afed3d21dfb0d69.exe	32
PID 2812 wrote to memory of 2524	2812	f998121d523426ed0afed3d21dfb0d69.exe	32
PID 2812 wrote to memory of 2524	2812	f998121d523426ed0afed3d21dfb0d69.exe	32

C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69.exe
"C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2204
- C:\Users\Admin\System32\Window Security Notification.exe
  "C:\Users\Admin\System32\Window Security Notification.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll

Filesize
140KB

MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA49C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4CD.tmp

Filesize
147KB

MD5
7ccd0d5e263e32b8c7009b6900966446

SHA1
0b3c4f22c57adb33e7c167d25c6461492016564b

SHA256
3c62f9bbdd04e7ea33cfb3a5fd99fb3a9a8468da6d1323283ad8684d5e3c2e1a

SHA512
ef396928764812cda979c1468910473264bdf07233851a4a49ec320939f1fce39fe2ef8455519ac6ce600b7a94546405f25ffa0f6cdba76865a2df8887bb903b

Download Submit
\Users\Admin\System32\Window Security Notification.exe

Filesize
380KB

MD5
f998121d523426ed0afed3d21dfb0d69

SHA1
fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7

SHA256
7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

SHA512
c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

Download Submit
memory/2524-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-34-0x0000000074650000-0x0000000074678000-memory.dmp

Filesize
160KB

Download
memory/2524-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-32-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-31-0x0000000074650000-0x0000000074678000-memory.dmp

Filesize
160KB

Download
memory/2524-30-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2524-27-0x0000000073DE0000-0x0000000073E3B000-memory.dmp

Filesize
364KB

Download
memory/2524-28-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-9-0x00000000736B0000-0x00000000736D8000-memory.dmp

Filesize
160KB

Download
memory/2812-23-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-14-0x00000000736B0000-0x00000000736D8000-memory.dmp

Filesize
160KB

Download
memory/2812-13-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2812-11-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-0-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/2812-10-0x0000000073E80000-0x0000000073EDB000-memory.dmp

Filesize
364KB

Download
memory/2812-2-0x0000000002110000-0x0000000002150000-memory.dmp

Filesize
256KB

Download
memory/2812-1-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads