limerat | 7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7

General

Target

90091c8c9c69b12fe47cee45e5090bf9.exe
Size

1.1MB
MD5

90091c8c9c69b12fe47cee45e5090bf9
SHA1

e7faaf6695ac2c30dbda38e576e6f50eaa04127a
SHA256

7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7
SHA512

d772aeb2fc7aac1c30f0e5b4fd782b523d56c3875e40c612d24fa19e0023cee960f149b633fc98c2c2785e13d806a1fb4d32b7f29a605034acbfec54c2ebdabb
SSDEEP

24576:e4S/d3uKzksuksSmmRBhZfyrBvEiomcy8jh8N6ZNXZ:dKLmCZMBvEirc+N6ZNX

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q5746qkzdr628cmq4swa02lpu2mk69t0pdxdgzs

Attributes

aes_key
Wealth1000$
antivm
false
c2_url
https://pastebin.com/raw/LF04hVta
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LF04hVta
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/4892-7-0x0000000005B70000-0x0000000005B82000-memory.dmp	CustAttr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

90091c8c9c69b12fe47cee45e5090bf9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	90091c8c9c69b12fe47cee45e5090bf9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

44 pastebin.com
45 pastebin.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

90091c8c9c69b12fe47cee45e5090bf9.exe

description pid process target process

PID 4892 set thread context of 208 4892 90091c8c9c69b12fe47cee45e5090bf9.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2096 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 208 RegSvcs.exe
Token: SeDebugPrivilege 208 RegSvcs.exe

flow	ioc
44	pastebin.com
45	pastebin.com

description	pid	process	target process
PID 4892 set thread context of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe

pid	process
2096	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	208	RegSvcs.exe
Token: SeDebugPrivilege	208	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

90091c8c9c69b12fe47cee45e5090bf9.exe

description	pid	process	target process
PID 4892 wrote to memory of 2096	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	schtasks.exe
PID 4892 wrote to memory of 2096	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	schtasks.exe
PID 4892 wrote to memory of 2096	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	schtasks.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe
PID 4892 wrote to memory of 208	4892	90091c8c9c69b12fe47cee45e5090bf9.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\90091c8c9c69b12fe47cee45e5090bf9.exe
"C:\Users\Admin\AppData\Local\Temp\90091c8c9c69b12fe47cee45e5090bf9.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pqfTsGmCOXK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF61.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEF61.tmp

Filesize
1KB

MD5
4cfd8799486830a7e6a13bf2887cf500

SHA1
b29a99739fe65500b2b75871b3aae46c069f877f

SHA256
898f8a65b5fafc620b67401e13ca3417831818c77c81a6ab48df993b5884bf10

SHA512
5c98ce3f120dcb704e2da3172386a8b9896810e1306400e1694d6642272a497b00b02c97ef663a14dc88bdbee74de06db70de8cb938e8d8106422476bd95628d

Download Submit
memory/208-24-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/208-23-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/208-21-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/208-22-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/208-20-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/208-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4892-10-0x0000000006B30000-0x0000000006BAE000-memory.dmp

Filesize
504KB

Download
memory/4892-8-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4892-9-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4892-1-0x0000000000F70000-0x0000000001096000-memory.dmp

Filesize
1.1MB

Download
memory/4892-11-0x00000000060E0000-0x00000000060EC000-memory.dmp

Filesize
48KB

Download
memory/4892-7-0x0000000005B70000-0x0000000005B82000-memory.dmp

Filesize
72KB

Download
memory/4892-6-0x0000000005D30000-0x0000000005DCC000-memory.dmp

Filesize
624KB

Download
memory/4892-5-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/4892-19-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/4892-4-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/4892-3-0x0000000005A70000-0x0000000005B02000-memory.dmp

Filesize
584KB

Download
memory/4892-2-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download
memory/4892-0-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads