Overview

overview

10

Static

static

10

43579219a2...2a.exe

windows7-x64

10

43579219a2...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43579219a247f11929666057f045882a.exe

  • Size

    298KB

  • MD5

    43579219a247f11929666057f045882a

  • SHA1

    47726a9fbc0f8d2e3f7731cbe1b58d8deff380d0

  • SHA256

    28f934d0bbd26fbd1755bd03bce10d69f031b79eafffc76b20ec614940c33902

  • SHA512

    ef8531696264efb91a45a4423fe68382fb82dfae81c20393d8bbce9ca6a9df0e6823c21721db04d273eb77a5937e2c65010dacb5beee87c98c416b2cdc359546

  • SSDEEP

    384:7B+Sbj6NKABm6tdAHa1cXqDqKNq73MvDKNrCeJE3WNgqW2VYqo2ASQro3lcEOsjD:lpAs6tdwamiqri45Nn/F/jEAdKPhX

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Salted__¤Cxp•º×^¼i»%bfŽð9ÈœÉo

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/jJYQvYwp

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    Synapse X.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \WindowsSys\

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43579219a247f11929666057f045882a.exe
    "C:\Users\Admin\AppData\Local\Temp\43579219a247f11929666057f045882a.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:2604
    • C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
    Filesize

    9KB

    MD5

    1149e4c9481076fd37b9ff2c05fdbcbe

    SHA1

    52c0f776d5fc655b31ae4d8d3815693fb091b777

    SHA256

    c6f6045d8198c5bbfdb747a48f4bd2c082ae72e9db7881a9999eb515e59bcff8

    SHA512

    92adb7d7fd7276484fde87ebe113d2d75a09b21e576d985e6a549d808aa8e47430384119b848a55397797495c15a8087ca6ce1420be0526ad671b4c36468ab04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
    Filesize

    18KB

    MD5

    48ba32b08101d38349203d26696dcf3a

    SHA1

    b0e963c5c0253a84f0bd772f76187cab19d473eb

    SHA256

    9fe92ca0ce2296e984cf78515b829dc82cfe37342d922c786668f367d7706e0d

    SHA512

    51e9490c3c1138b03d435b781bcf4e08ddcd1c777b9621c89ab7142a9608a646bfd450b3a2a4d2be04c4b4b63bc7fd3e4ecf339d656361f85dae68af424d3fbd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
    Filesize

    161KB

    MD5

    06eb6e2d40291b372c54d34b88402839

    SHA1

    36760d327a17de2067a3fc76ca7e1e8d6273c9da

    SHA256

    5894011a215a54a9721715d3b7f8e43e5c817a4704a4122e9578b87ffe97152a

    SHA512

    6f643825b47164b4e7bb50858bfb2d6401e60d1f9253cd9dc35dbf4d8af7f33ea26cf7f9a2114c29ad3752e1a4b0971c7cdbe813f12574c0773edca03134b162

    Download Submit

  • \Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
    Filesize

    70KB

    MD5

    c6ecc18507dbd5fa2964011aa7556662

    SHA1

    0ccc5bde5f71e501daca39651b0453a4d75f02ae

    SHA256

    2a90fbcf55bc80b04b0a55943f1863ccbd61381766583b5a0a575b6372e695e8

    SHA512

    515bd156c0514f4481483030688fa16c01a1662996aa45ab9e26b4038c5782daf7975f650bcb1dfdb651d84b971ba0bc35441be9f2cbafa7f422dbcf61b0a72f

    Download Submit

  • \Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe
    Filesize

    87KB

    MD5

    d22fddb26cfcae8a1298fb919028f978

    SHA1

    ff6199001311c567860202505dbbe41f78bd8196

    SHA256

    956cf873e0a3b6ada9f5a8acef811de9b5d10bfc60c7d400c25b2a5c145a8811

    SHA512

    482fa71f2470edf41e32242e93b0edcc9a7fd1d8e44c7abdd9234469050000744a868b78b57e621cf36d74f9ab844b9c111aba59b1ae991140441f4ff1ef597e

    Download Submit

  • memory/2608-15-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-13-0x0000000000C70000-0x0000000000CC0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2608-16-0x00000000042F0000-0x0000000004330000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-53-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-54-0x00000000042F0000-0x0000000004330000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-14-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2980-3-0x0000000004720000-0x0000000004760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2980-0-0x0000000001220000-0x0000000001270000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2980-1-0x0000000074E70000-0x000000007555E000-memory.dmp

    Filesize

    6.9MB

    Download