Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28-12-2023 12:14
General
-
Target
de02ba99f65d07c4973b33fec5aefdac.exe
-
Size
1.6MB
-
MD5
de02ba99f65d07c4973b33fec5aefdac
-
SHA1
54419bd1e07a8e3ab393c55cf55570bc3fe2b526
-
SHA256
05f0ad4df75e687b4a188f34e31a60afb0a772d32e51f6e77f62ec484e7cf35e
-
SHA512
c38740af611109ebae7552045e4b1d88909840d54c91ad585adba52b2d36be806fde3f84c1cd18c086debe995ef5475faf9b53614ebe83fe56825c97a877d6d8
-
SSDEEP
49152:ReKvWKlH8SM3ShGiSTZdXTZdHXTZdXTZ:
Malware Config
Extracted
limerat
3Qus18px7doBsKbzeHGBmnanWuPS4S3tAn
-
aes_key
7aXx4CiaQxg8Py3gI
-
antivm
true
-
c2_url
https://pastebin.com/raw/ZJvAZBza
-
delay
60
-
download_payload
false
-
install
true
-
install_name
csrss.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Signatures
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe"C:\Users\Admin\AppData\Local\Temp\de02ba99f65d07c4973b33fec5aefdac.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe"C:\Users\Admin\AppData\Local\Temp\TeraBIT Virus Maker 3.1 (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Wservices.exe"C:\Users\Admin\AppData\Roaming\Wservices.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
617B
MD5e07efe3f1e4fcc39483a46d0644e1750
SHA1083566e513d8090982a8f2d2c57864f7e5eea721
SHA256d35da5dbc639e94852448d93722de5260388abf8a0a6b80d947d8acf02209617
SHA512e29fac6efce55130598dd9ca0be18e2934d8ed417087848f4c80c1754312f1dae2eb0fc3e85e58aa11abde23a221bdf8f6b80df3a9acad4891626f667f05b474
-
Filesize
92KB
MD5024f402d39741ad9238703ab750575f4
SHA12bd19f9be8b06f032d302224700673bd71e1b828
SHA256dd95a729cc73cc5383d8951d4f36f70c381fe0a666b8f4309b03959ad591b338
SHA512db9ffdb6076620efe51de89e6b9a19240ebec0e8faf127887abf4bad654c56893814d0a87ffd6975680e9dab15d217d13dde94633552b72b194df0b7ef2bcbd7
-
Filesize
676KB
MD55b7cbfc8d8bc22798ee4fc4aa4b03e3b
SHA176f643b3f67f76f4182ef18e43e298e2e8570044
SHA25635bcbae8dd3191cf58c48618d0cc43fb8fee8493e7c872d7742b4d499c383af9
SHA51285228be9bc801d412bab150f3238c95390e18ab5f3a88bbc2406a40818e7c4482e77462b4a302be78075b1b631d6ac4a5939b8040d3742d3b822361642f796bd
-
Filesize
93KB
MD58e2f9bd352a3565403007d870bfb6e3f
SHA1403f20a51785612502325afd824b582601cda6e0
SHA25651ad5bd0d41b2f4e1529eddac54a2a32897ed8f4367db0e5ab440024c65bb448
SHA512c19e50d3c63038957356528a35cd29225cd7c23ea1e8807e1664beada6b1cd31b1405c85b5fe700b5a66d5120c9cdd12935cc6f4a9de62e26416fb30f53a51d7
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB