limerat | 05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e

General

Target

de02ba99f65d07c4973b33fec5aefdac.exe
Size

1.6MB
MD5

de02ba99f65d07c4973b33fec5aefdac
SHA1

54419bd1e07a8e3ab393c55cf55570bc3fe2b526
SHA256

05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e
SHA512

c38740af611109ebae7552045e4b1d88909840d54c91ad585adba52b2d36be806fde3f84c1cd18c086debe995ef5475faf9b53614ebe83fe56825c97a877d6d8
SSDEEP

49152:ReKvWKlH8SM3ShGiSTZdXTZdHXTZdXTZ:

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Wallets

3Qus18px7doBsKbzeHGBmnanWuPS4S3tAn

Attributes

aes_key
7aXx4CiaQxg8Py3gI
antivm
true
c2_url
https://pastebin.com/raw/ZJvAZBza
delay
60
download_payload
false
install
true
install_name
csrss.exe
main_folder
Temp
pin_spread
true
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 3 IoCs

pid	Process
2624	TeraBIT Virus Maker 3.1 (1).exe
2968	Wservices.exe
1560	Wservices.exe

Loads dropped DLL 3 IoCs

pid	Process
2360	de02ba99f65d07c4973b33fec5aefdac.exe
2360	de02ba99f65d07c4973b33fec5aefdac.exe
2360	de02ba99f65d07c4973b33fec5aefdac.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wservices.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wservices.exe"	de02ba99f65d07c4973b33fec5aefdac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2968 set thread context of 1560	2968	Wservices.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	TeraBIT Virus Maker 3.1 (1).exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2624	2360	de02ba99f65d07c4973b33fec5aefdac.exe	28
PID 2360 wrote to memory of 2624	2360	de02ba99f65d07c4973b33fec5aefdac.exe	28
PID 2360 wrote to memory of 2624	2360	de02ba99f65d07c4973b33fec5aefdac.exe	28
PID 2360 wrote to memory of 2624	2360	de02ba99f65d07c4973b33fec5aefdac.exe	28
PID 2360 wrote to memory of 2968	2360	de02ba99f65d07c4973b33fec5aefdac.exe	31
PID 2360 wrote to memory of 2968	2360	de02ba99f65d07c4973b33fec5aefdac.exe	31
PID 2360 wrote to memory of 2968	2360	de02ba99f65d07c4973b33fec5aefdac.exe	31
PID 2360 wrote to memory of 2968	2360	de02ba99f65d07c4973b33fec5aefdac.exe	31
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32
PID 2968 wrote to memory of 1560	2968	Wservices.exe	32

C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe
"C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe
  "C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Users\Admin\AppData\Roaming\Wservices.exe
  "C:\Users\Admin\AppData\Roaming\Wservices.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\Wservices.exe
    "C:\Users\Admin\AppData\Roaming\Wservices.exe"
    3⤵
    - Executes dropped EXE
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
709KB

MD5
f4ff4ceb4cc85a280ed26f892f22c3a2

SHA1
1ec2e312693367216e25b30f95cecc2092a57fb4

SHA256
a8b46ea560c34dea55a54d1972a88997387e6e549853b3fc0883856b2ee04494

SHA512
df8d92e0bfc00a9ff2918b92af8deb9f5dcaf8b3498b9d46d53d9fea4c601bc7e9f6ebf904213ecaf83d8238192b3004e046bf2c3a3981248bdffce3aa004b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Wservices.exe

Filesize
388KB

MD5
ceaf8241dd72a70cbb0d9f88ddd49846

SHA1
6d5531e66c895c8e54aa57225a079219653aa295

SHA256
587f76428a4a2e87f9abc2f7287b2d0b9061fd5cad11be2646d985f1d930f3c2

SHA512
f05d97533b3e460f566baefa5752638ef12d0603b65a5dca587b37e8ed4df2bc0d5ec799bd72c4efceafe868dbc0dde264d225cf8d4fba7e89609d4ccb97bd5a

Download Submit
memory/1560-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-42-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/1560-41-0x0000000073B20000-0x000000007420E000-memory.dmp

Filesize
6.9MB

Download
memory/1560-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-38-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1560-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1560-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2360-0-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2360-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-21-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-13-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-23-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-37-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-25-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2968-24-0x0000000000720000-0x0000000000738000-memory.dmp

Filesize
96KB

Download
memory/2968-22-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads