Overview

overview

10

Static

static

10

43579219a2...2a.exe

windows7-x64

10

43579219a2...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    179s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2024 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43579219a247f11929666057f045882a.exe

  • Size

    298KB

  • MD5

    43579219a247f11929666057f045882a

  • SHA1

    47726a9fbc0f8d2e3f7731cbe1b58d8deff380d0

  • SHA256

    28f934d0bbd26fbd1755bd03bce10d69f031b79eafffc76b20ec614940c33902

  • SHA512

    ef8531696264efb91a45a4423fe68382fb82dfae81c20393d8bbce9ca6a9df0e6823c21721db04d273eb77a5937e2c65010dacb5beee87c98c416b2cdc359546

  • SSDEEP

    384:7B+Sbj6NKABm6tdAHa1cXqDqKNq73MvDKNrCeJE3WNgqW2VYqo2ASQro3lcEOsjD:lpAs6tdwamiqri45Nn/F/jEAdKPhX

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Salted__¤Cxp•º×^¼i»%bfŽð9ÈœÉo

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/jJYQvYwp

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    Synapse X.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \WindowsSys\

  • usb_spread

    true

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43579219a247f11929666057f045882a.exe
    "C:\Users\Admin\AppData\Local\Temp\43579219a247f11929666057f045882a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\WindowsSys\Synapse X.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:4528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1808-0-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1808-1-0x0000000000A90000-0x0000000000AE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1808-2-0x00000000054C0000-0x000000000555C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1808-3-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1808-4-0x00000000057F0000-0x0000000005856000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1808-5-0x00000000056E0000-0x00000000056F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-6-0x00000000056E0000-0x00000000056F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1808-7-0x0000000006110000-0x00000000066B4000-memory.dmp

    Filesize

    5.6MB

    Download