limerat | 72b8deec4c725fa64676fc74a84ad2426ddee89a3b3c8bb00073ef10514ddb9f

Analysis

max time kernel
110s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9c865fd057f370f77e5f2e96922088.exe
Size

717KB
MD5

2b9c865fd057f370f77e5f2e96922088
SHA1

3dc962377b0937fec1f10f6ac585e75e6bab92e0
SHA256

72b8deec4c725fa64676fc74a84ad2426ddee89a3b3c8bb00073ef10514ddb9f
SHA512

e5e4e5aaec72c76926ca1c27856af07131b7d6c348c99481b8f2e1cf9960ed5a4826dffa2394cdbeec91cd8a7dd9a1eebf55c09871180d0e6564c764c1a0e351
SSDEEP

12288:25WafCzLOmE6+/QkvRklicBbRVjoq8OUXD7Wp/qwYnwnTRVY8I4J2pbFpe+FHAqg:CzfCHzD+/BRkUzEvp/N

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qdajqyl8uarnz63e2we9xchx3zqcd5xcyfshfyk

Attributes

aes_key
lime
antivm
true
c2_url
https://pastebin.com/raw/4Xj3extx
delay
3
download_payload
false
install
true
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b9c865fd057f370f77e5f2e96922088.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	2b9c865fd057f370f77e5f2e96922088.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2b9c865fd057f370f77e5f2e96922088.exe

description pid process target process

PID 5004 set thread context of 1120 5004 2b9c865fd057f370f77e5f2e96922088.exe 2b9c865fd057f370f77e5f2e96922088.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

636 schtasks.exe
1468 schtasks.exe

description	pid	process	target process
PID 5004 set thread context of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe

pid	process
636	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
3872	powershell.exe
3872	powershell.exe
1640	powershell.exe
1640	powershell.exe
3164	powershell.exe
3164	powershell.exe
1640	powershell.exe
3872	powershell.exe
3164	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3872 powershell.exe
Token: SeDebugPrivilege 3164 powershell.exe
Token: SeDebugPrivilege 1640 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2b9c865fd057f370f77e5f2e96922088.exe2b9c865fd057f370f77e5f2e96922088.exe

description	pid	process	target process
PID 5004 wrote to memory of 3872	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 3872	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 3872	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 1640	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 1640	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 1640	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 1468	5004	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe
PID 5004 wrote to memory of 1468	5004	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe
PID 5004 wrote to memory of 1468	5004	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe
PID 5004 wrote to memory of 3164	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 3164	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 3164	5004	2b9c865fd057f370f77e5f2e96922088.exe	powershell.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 5004 wrote to memory of 1120	5004	2b9c865fd057f370f77e5f2e96922088.exe	2b9c865fd057f370f77e5f2e96922088.exe
PID 1120 wrote to memory of 636	1120	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe
PID 1120 wrote to memory of 636	1120	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe
PID 1120 wrote to memory of 636	1120	2b9c865fd057f370f77e5f2e96922088.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\2b9c865fd057f370f77e5f2e96922088.exe
"C:\Users\Admin\AppData\Local\Temp\2b9c865fd057f370f77e5f2e96922088.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2b9c865fd057f370f77e5f2e96922088.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RzeNqlO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RzeNqlO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF066.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RzeNqlO.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\2b9c865fd057f370f77e5f2e96922088.exe
  "C:\Users\Admin\AppData\Local\Temp\2b9c865fd057f370f77e5f2e96922088.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\Wservices.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\Wservices.exe
    "C:\Users\Admin\AppData\Local\Temp\Wservices.exe"
    3⤵
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2b9c865fd057f370f77e5f2e96922088.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dc96445f8d2b2ad8ef9930eceb1e3de7

SHA1
469e3ef5ab9c1694b5f277da3c97b406b052eacd

SHA256
5f2371f970a1a8f5fc1a9d4fb230dc5565cbea773e60841e53ebecbee5b17d3d

SHA512
ff564669a4453fdfd940277efa6a9e102c11c8b6e6a13854cc2edd0c0e053fd4f478e294c354657bcda49067b47f2a00b7ac4b7cac5f911f26efba72ede5fa99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
cd31f18b8383aa343747c4c6ff617d94

SHA1
c8c0f46eb5b94bdab854198a6f0ce9196d5bd863

SHA256
0a0f3cceac16f9ba680f82dbd10fef1893d270a916f6e5c7a4656a7841b3d92f

SHA512
1dfc96966ebd4316b0097b8bc00bc16f3e06aea32661708a8b2675124ba5523bba35532bb3c25cad6cfdea73a23a7cd86b6be50aeca03820fdcc72e878ff5842

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Filesize
128KB

MD5
ef0fe05af3978e60d333afcc44d87581

SHA1
002ca353bdb4f7808a2c3e1d0c903a7150bad286

SHA256
be350b938d186cb4f1170f2fa0e334ed869c8a03cdc8b7ef5a60acdbb9aec800

SHA512
06ee0f6cfd4ecf21e6908703b75ea71569c1ce24e04fd4243aad81bc8a435abc9a10338c686c1365dd637b89e2953c17686b2c7be0b398d77c2c288e8cb3e183

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Filesize
90KB

MD5
0d1d4cf6b6c2b91fbd705ad86df74551

SHA1
4f026cb5236136020bbe7bccdf1eb2b133199ace

SHA256
fba032a3514b99a96e6a01cccdf7ec80fc1cb77d39642c39263a00b59ccbf5e6

SHA512
9fc1e4dd3fb45e3b37e0ebe1902f38d163da2538027eaf011f4967e358d92f981762f29eafafe7f6a1442f49574c92cecffc0a82e8338a4df602460e8957e80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wservices.exe

Filesize
253KB

MD5
0fb577559fb228078104da65bdeb44cb

SHA1
43e45eff7c2ffcdd4d6a7ad87fbb3b1c3b7521ea

SHA256
3fd25aa303dbf1f100372431d007b6591e444c799679493e91262eaba7e8f2a8

SHA512
5eebb7555fdadb7475abbfd3e5805687251ac8d4e8a6ea1cc3b05cc90b532c949eca74de22a6b0082a7864e85958192ffcb2c116077bd05c88e02f0d344b1111

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rslwi23y.hbz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF066.tmp

Filesize
1KB

MD5
bc1f07b497ff79f041479971d5f87605

SHA1
c8a73ac63f8905ea6790048553edfd4cb4aabf70

SHA256
9e3d873c664926dbd088276dd78423d6ec1b4325f3d7436b43572c1e39e04d19

SHA512
c35ca0f490a994c380d6f3b8754f5c138738aebf7df34d29d6325c9765a9b00ee5c115605699f2d68f9f9ad790152fa802d5c100124a5510fb69ba20dfc38f00

Download Submit
memory/1120-126-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1120-64-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1120-26-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1120-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1640-123-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1640-63-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/1640-20-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1640-139-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1640-22-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1640-94-0x000000007FAF0000-0x000000007FB00000-memory.dmp

Filesize
64KB

Download
memory/1640-80-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/1640-16-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1640-121-0x0000000007630000-0x00000000076C6000-memory.dmp

Filesize
600KB

Download
memory/1640-92-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/1640-67-0x0000000000FE0000-0x0000000000FF0000-memory.dmp

Filesize
64KB

Download
memory/1640-69-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

Filesize
304KB

Download
memory/1640-28-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/1640-19-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/1640-108-0x0000000007430000-0x000000000743A000-memory.dmp

Filesize
40KB

Download
memory/1640-38-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/3164-32-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/3164-106-0x0000000007B60000-0x00000000081DA000-memory.dmp

Filesize
6.5MB

Download
memory/3164-62-0x0000000004F90000-0x0000000004FAE000-memory.dmp

Filesize
120KB

Download
memory/3164-31-0x0000000005330000-0x0000000005352000-memory.dmp

Filesize
136KB

Download
memory/3164-125-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/3164-29-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3164-66-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/3164-27-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/3164-95-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

Filesize
304KB

Download
memory/3164-128-0x0000000007830000-0x0000000007844000-memory.dmp

Filesize
80KB

Download
memory/3164-96-0x000000007EEC0000-0x000000007EED0000-memory.dmp

Filesize
64KB

Download
memory/3164-140-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3872-91-0x0000000007920000-0x00000000079C3000-memory.dmp

Filesize
652KB

Download
memory/3872-129-0x0000000007D40000-0x0000000007D5A000-memory.dmp

Filesize
104KB

Download
memory/3872-93-0x000000007F150000-0x000000007F160000-memory.dmp

Filesize
64KB

Download
memory/3872-70-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3872-68-0x00000000076E0000-0x0000000007712000-memory.dmp

Filesize
200KB

Download
memory/3872-65-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3872-138-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3872-107-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3872-61-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/3872-21-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3872-18-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3872-130-0x0000000007D30000-0x0000000007D38000-memory.dmp

Filesize
32KB

Download
memory/3872-81-0x0000000070BA0000-0x0000000070BEC000-memory.dmp

Filesize
304KB

Download
memory/3872-122-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3872-17-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/3872-127-0x0000000007C40000-0x0000000007C4E000-memory.dmp

Filesize
56KB

Download
memory/4964-124-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/4964-142-0x00000000071D0000-0x00000000071E0000-memory.dmp

Filesize
64KB

Download
memory/4964-141-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/5004-3-0x0000000007280000-0x0000000007312000-memory.dmp

Filesize
584KB

Download
memory/5004-5-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/5004-0-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/5004-6-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/5004-7-0x0000000008A90000-0x0000000008AA2000-memory.dmp

Filesize
72KB

Download
memory/5004-11-0x00000000087A0000-0x00000000087AE000-memory.dmp

Filesize
56KB

Download
memory/5004-8-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download
memory/5004-10-0x0000000004800000-0x0000000004882000-memory.dmp

Filesize
520KB

Download
memory/5004-9-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/5004-2-0x0000000007750000-0x0000000007CF4000-memory.dmp

Filesize
5.6MB

Download
memory/5004-1-0x0000000000290000-0x000000000034A000-memory.dmp

Filesize
744KB

Download
memory/5004-4-0x0000000007320000-0x00000000073BC000-memory.dmp

Filesize
624KB

Download
memory/5004-30-0x0000000074D70000-0x0000000075520000-memory.dmp

Filesize
7.7MB

Download