Overview

overview

10

Static

static

7

f998121d52...69.exe

windows7-x64

10

f998121d52...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2023 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f998121d523426ed0afed3d21dfb0d69.exe

  • Size

    380KB

  • MD5

    f998121d523426ed0afed3d21dfb0d69

  • SHA1

    fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7

  • SHA256

    7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

  • SHA512

    c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

  • SSDEEP

    6144:V6C4vUQ2R02etDfet3Agp0q9ygbX+1RzDU8vTMpcvEF:V7Q002e1saMJcR/VbKcvi

Score
10/10
limeratagilenetrat

Malware Config

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/tDBQY6gT

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69.exe
    "C:\Users\Admin\AppData\Local\Temp\f998121d523426ed0afed3d21dfb0d69.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:736
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\System32\Window Security Notification.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:2764
    • C:\Users\Admin\System32\Window Security Notification.exe
      "C:\Users\Admin\System32\Window Security Notification.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\658fe764-17b2-4bab-9272-0ccf7d8dc77a\AgileDotNetRT.dll
    Filesize

    92KB

    MD5

    204b7464d17afccd163d9b31487a1aea

    SHA1

    cf541da3a537ba4154a4e8ef35fe9980b24d0a75

    SHA256

    6d51b6527fdb08c71b5382e17de5eef7fed85fa8ead2f18b61d274c78b7b2645

    SHA512

    53e6e23c9d7a83214a7c4d8ce6288508f45074b81679c56207a9e1d1a014d4de10d0a4374edd85af8ba979b196e44adb28087035189c498a4b29a5ac91d2b233

    Download Submit

  • C:\Users\Admin\System32\Window Security Notification.exe
    Filesize

    380KB

    MD5

    f998121d523426ed0afed3d21dfb0d69

    SHA1

    fd4da5a1bd5ec4d6508c78a01f0002a3348df0e7

    SHA256

    7a9a5279a3ced8e2aabcb0edf0c1f5f935d33b49807de894774ad8f9c51a02f8

    SHA512

    c701c0bd0a129adb3593e66d6867f605f305a28c02351c3df607505f0e6bbe66d8755d8b9ac8ea22b550b233fed7335a179100b8bf889d843d6a8a540b1334f0

    Download Submit

  • C:\Users\Admin\System32\Window Security Notification.exe
    Filesize

    92KB

    MD5

    19571c35290772c408f41f36e8769187

    SHA1

    803a98ae35f5a2cb01cc21200226b161443d1040

    SHA256

    3c7796950be03113ff033e55d115e9579ce1dcbe09288fc15eed958cf6638377

    SHA512

    660f100e11c0f91ac320eb19ddf978fbf3040ba2f5a98fff05e066eea608ef508b10d24e7a71021340332a3bf5392787a0f13261837a8b6db539a03dbdc06c10

    Download Submit

  • memory/736-24-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/736-10-0x0000000073D90000-0x0000000073DEB000-memory.dmp

    Filesize

    364KB

    Download

  • memory/736-0-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/736-2-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/736-27-0x0000000073580000-0x00000000735A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/736-11-0x0000000073580000-0x00000000735A8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/736-1-0x0000000001710000-0x0000000001720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4368-30-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4368-25-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4368-32-0x00000000735B0000-0x00000000735D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4368-31-0x0000000073D90000-0x0000000073DEB000-memory.dmp

    Filesize

    364KB

    Download

  • memory/4368-26-0x00000000007C0000-0x00000000007D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4368-33-0x00000000007C0000-0x00000000007D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4368-34-0x0000000075070000-0x0000000075621000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4368-35-0x00000000735B0000-0x00000000735D8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/4368-36-0x00000000007C0000-0x00000000007D0000-memory.dmp

    Filesize

    64KB

    Download