Overview

overview

10

Static

static

3

9bb1da8969...92.exe

windows7-x64

10

9bb1da8969...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2024 12:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9bb1da8969140aa7051ddda703293192.exe

  • Size

    497KB

  • MD5

    9bb1da8969140aa7051ddda703293192

  • SHA1

    05e55309ff756dcfc7bd67fedaf96c6a82ead5a0

  • SHA256

    34c61248dd915a7a98ecbd9c2768f924560a22187ef8967c028d6497466b86a4

  • SHA512

    62ca279b4442959894075d68b75e8825238399603b3cb180aae2c5734837c6568a09e89f4a810b9c2c68db93c6cd610820cb58efa759b54ef715f569da5731c2

  • SSDEEP

    6144:deNgRqCji5ZOLrw67cdNaVzkFXKaKc5+LGWXKfF6z/d9F48W46Nh9hx1A8RskdUO:dHqCm87iS/d348khf9uuoFi9QcA

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

bc1q5746qkzdr628cmq4swa02lpu2mk69t0pdxdgzs

Attributes
  • aes_key

    Wealth1000$

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LF04hVta

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LF04hVta

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe
    "C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hAeDOVFrht" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE86.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3252
    • C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe
      "C:\Users\Admin\AppData\Local\Temp\9bb1da8969140aa7051ddda703293192.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9bb1da8969140aa7051ddda703293192.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEE86.tmp
    Filesize

    1KB

    MD5

    bb51147c8cfa91d31db6aaea55a39002

    SHA1

    1d89b420bd712365b1a46a4ca6ba4b824e1842f2

    SHA256

    1a078055eca9fdd3feaf061a6a315557ca74d04cad2dd486f103d50fd1489ac9

    SHA512

    9b1aed960dbe7546cca9d45d51b4156e3a0704c84b3d75890b208ecc0abe193aabca963ef4365a75982d413eb324389fff4c9784194b327b1eaab31b3b92e763

    Download Submit

  • memory/4256-25-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-24-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4256-23-0x00000000050F0000-0x0000000005100000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4256-22-0x0000000004F20000-0x0000000004F86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4256-21-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4256-17-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4512-10-0x0000000006BD0000-0x0000000006C26000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4512-9-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4512-0-0x0000000000250000-0x00000000002D2000-memory.dmp

    Filesize

    520KB

    Download

  • memory/4512-11-0x0000000006C30000-0x0000000006C3E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4512-8-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4512-7-0x0000000006790000-0x00000000067A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4512-6-0x0000000004F80000-0x000000000501C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4512-20-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4512-5-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4512-4-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4512-3-0x0000000004D50000-0x0000000004DE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4512-2-0x0000000005300000-0x00000000058A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4512-1-0x0000000074640000-0x0000000074DF0000-memory.dmp

    Filesize

    7.7MB

    Download