limerat | 542c835beecdb583d91729b609d49a1e9e6072dce2148701faaa356723d241be

Analysis

max time kernel
25s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4674e41064471788442b3b712c152414.exe
Size

698KB
MD5

4674e41064471788442b3b712c152414
SHA1

dbcf1543238fb33bd4ef817cda8148a8e2118375
SHA256

542c835beecdb583d91729b609d49a1e9e6072dce2148701faaa356723d241be
SHA512

84132c2ff04e50f04993d0ceb6ed2618b80d22cf5fc5e5bf4d6dcbe6fd3d5ead30dba2951c0df9dab392b1c96c1463114fe9bb98fd13e1bc4009ac6f5ab1ed5d
SSDEEP

12288:zkIUeiG2E73BzHjyOyHpBvygTUxieU66yI8ku/z0xast:lypBvygA8eU66yfgEst

Score

10^/10

limerat neshta njrat warzonerat officeh agilenet infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

limerat

Wallets

1NCY4zKfbzBA6apXnRcp4SEPaZc1xeYtzi

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
6
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

warzonerat

businessdministration.webredirect.org:5292

Extracted

Family

njrat

Version

0.7.3

Botnet

OfficeH

virtuallogoprepaidmax.duckdns.org:6527

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1904

Signatures

Detect Neshta payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023232-36.dat	family_neshta
behavioral2/memory/392-188-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2040-236-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/400-237-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2040-238-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2040-243-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/400-242-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Warzone RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0006000000023236-57.dat	warzonerat
behavioral2/files/0x0007000000023232-36.dat	warzonerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4674e41064471788442b3b712c152414.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updates.lnk	4674e41064471788442b3b712c152414.exe

Executes dropped EXE 1 IoCs

pid	Process
3884	Updates.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1256-7-0x0000000006D30000-0x0000000006D58000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe
1256	4674e41064471788442b3b712c152414.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	4674e41064471788442b3b712c152414.exe
Token: SeDebugPrivilege	3884	Updates.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3884	1256	4674e41064471788442b3b712c152414.exe	99
PID 1256 wrote to memory of 3884	1256	4674e41064471788442b3b712c152414.exe	99
PID 1256 wrote to memory of 3884	1256	4674e41064471788442b3b712c152414.exe	99

C:\Users\Admin\AppData\Local\Temp\4674e41064471788442b3b712c152414.exe
"C:\Users\Admin\AppData\Local\Temp\4674e41064471788442b3b712c152414.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Updates\Updates.exe
  "C:\Users\Admin\AppData\Local\Updates\Updates.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3884
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\windows\Skype LimeHackRat.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\windows\Skype LimeHackRat.exe"
    3⤵
    PID:2920
- - C:\Users\Admin\AppData\Local\Updates\Updates.exe
    "C:\Users\Admin\AppData\Local\Updates\Updates.exe"
    3⤵
    PID:3016
- - C:\Windows\services\file.exe
    "C:\Windows\services\file.exe"
    3⤵
    PID:2040
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Updates.exe"
    3⤵
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\Updates.exe
      C:\Users\Admin\AppData\Local\Temp\Updates.exe
      4⤵
      PID:4072

C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe"
1⤵
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2712

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Updates.exe"
1⤵
PID:392
- C:\Users\Admin\AppData\Local\Temp\Updates.exe
  C:\Users\Admin\AppData\Local\Temp\Updates.exe
  2⤵
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3582-490\file.exe

Filesize
140KB

MD5
0b7997243e297cc1b4a062855004d120

SHA1
5b8f2cf40ceea8e360c20044ee99b5e772fef55b

SHA256
4a89962e0e05bf38bac67e3dd8a975b6286baf928fa5eb40cf287a6619dff37f

SHA512
c06dd69c6d621c2e2a9c70c55c86f018577625d8c9ff2776e6ad8a9b003df1ce21cfb8c47b2abd0e3a3843b4495d90b3a18cc4a014fe598c8fd6aa2ad8c1351f

Download Submit
C:\Users\Admin\AppData\Local\Updates\Updates.exe

Filesize
698KB

MD5
4674e41064471788442b3b712c152414

SHA1
dbcf1543238fb33bd4ef817cda8148a8e2118375

SHA256
542c835beecdb583d91729b609d49a1e9e6072dce2148701faaa356723d241be

SHA512
84132c2ff04e50f04993d0ceb6ed2618b80d22cf5fc5e5bf4d6dcbe6fd3d5ead30dba2951c0df9dab392b1c96c1463114fe9bb98fd13e1bc4009ac6f5ab1ed5d

Download Submit
C:\Users\Admin\AppData\Local\Updates\Updates.exe

Filesize
381KB

MD5
dc950dcdf6ff43ffaf85fab2945f9837

SHA1
ee8d8bedfb63759269413bf4e4a54a499860f685

SHA256
853ecd633c1f53f24d19c30f56c537552010ec99c1b3f7bbf5e89ce3d21a75b0

SHA512
874e88aeecd317615ed124523a63e491f892c7ab4d5b0bb9b98cee8e9bdc18bbb6e0ee2e87fb0244841ae8ddeb8e2d456fa1193f1a461fd0467793c520702bfc

Download Submit
C:\Windows\services\file.exe

Filesize
180KB

MD5
8f76cd22d7334c6b8101cd2766230ed5

SHA1
32a617ab8f1a508710581726fcce748cf5ed8923

SHA256
aa229f3b7f5b944598cb903664ba1aa8764d8670b2dffcc5bbdfd18e20a7d8b1

SHA512
fa7ec8866542fd769fbb378e9b7e243db89627ea3bdb95a69aeaa545248aad7c7603511eba1b186e5273d763adfbbe2cddf93a30446120c29d2bc06f2b947639

Download Submit
memory/392-188-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/400-242-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/400-237-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1256-14-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/1256-9-0x0000000006DB0000-0x0000000006DD2000-memory.dmp

Filesize
136KB

Download
memory/1256-7-0x0000000006D30000-0x0000000006D58000-memory.dmp

Filesize
160KB

Download
memory/1256-13-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1256-1-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1256-8-0x0000000006DE0000-0x0000000006E46000-memory.dmp

Filesize
408KB

Download
memory/1256-26-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1256-0-0x0000000000720000-0x00000000007D4000-memory.dmp

Filesize
720KB

Download
memory/1256-4-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/1256-2-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/1256-5-0x0000000005C90000-0x0000000005FE4000-memory.dmp

Filesize
3.3MB

Download
memory/1256-10-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/1256-3-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/1256-6-0x00000000054A0000-0x00000000054B0000-memory.dmp

Filesize
64KB

Download
memory/1612-185-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1612-245-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2040-238-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-236-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2040-243-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2712-129-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2920-246-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/2920-239-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2920-50-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2920-49-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2920-233-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/2920-247-0x0000000004C70000-0x0000000004C80000-memory.dmp

Filesize
64KB

Download
memory/3016-152-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/3016-147-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3016-244-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/3016-235-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/3884-45-0x0000000007E30000-0x0000000007E44000-memory.dmp

Filesize
80KB

Download
memory/3884-234-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3884-169-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3884-151-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/3884-48-0x000000000A460000-0x000000000A466000-memory.dmp

Filesize
24KB

Download
memory/3884-29-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3884-28-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3884-27-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4072-170-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4072-184-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/4072-168-0x0000000000B60000-0x0000000000B7A000-memory.dmp

Filesize
104KB

Download