General

  • Target

    90091c8c9c69b12fe47cee45e5090bf9

  • Size

    1.1MB

  • Sample

    240204-yv5hxsbgfr

  • MD5

    90091c8c9c69b12fe47cee45e5090bf9

  • SHA1

    e7faaf6695ac2c30dbda38e576e6f50eaa04127a

  • SHA256

    7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7

  • SHA512

    d772aeb2fc7aac1c30f0e5b4fd782b523d56c3875e40c612d24fa19e0023cee960f149b633fc98c2c2785e13d806a1fb4d32b7f29a605034acbfec54c2ebdabb

  • SSDEEP

    24576:e4S/d3uKzksuksSmmRBhZfyrBvEiomcy8jh8N6ZNXZ:dKLmCZMBvEirc+N6ZNX

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

bc1q5746qkzdr628cmq4swa02lpu2mk69t0pdxdgzs

Attributes
  • aes_key

    Wealth1000$

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LF04hVta

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LF04hVta

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      90091c8c9c69b12fe47cee45e5090bf9

    • Size

      1.1MB

    • MD5

      90091c8c9c69b12fe47cee45e5090bf9

    • SHA1

      e7faaf6695ac2c30dbda38e576e6f50eaa04127a

    • SHA256

      7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7

    • SHA512

      d772aeb2fc7aac1c30f0e5b4fd782b523d56c3875e40c612d24fa19e0023cee960f149b633fc98c2c2785e13d806a1fb4d32b7f29a605034acbfec54c2ebdabb

    • SSDEEP

      24576:e4S/d3uKzksuksSmmRBhZfyrBvEiomcy8jh8N6ZNXZ:dKLmCZMBvEirc+N6ZNX

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks