limerat | a3347937b18828817414419e8d01ff32c7eea9090cf0d98a1074fbd38160398f

General

Target

b8e0c2a24d5cf91635ea9ba58a6a05f5.exe
Size

1.1MB
MD5

b8e0c2a24d5cf91635ea9ba58a6a05f5
SHA1

29682af8815a0392780aa51ae3259ced1894e590
SHA256

a3347937b18828817414419e8d01ff32c7eea9090cf0d98a1074fbd38160398f
SHA512

049acf8c821309fd6bae067e6966ba91d776ed95bf6105f8cfd5e99c275df2e40f5f44eb83a445a34321d8174f7d784e50e9dd5ee8e1fd2ff948d930cc714f1b
SSDEEP

24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM253:/h+ZkldoPK8Ya971XjFtA3

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
3
download_payload
false
install
false
install_name
Winservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/cXuQ0V20
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	sdchange.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	sdchange.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	sdchange.exe
3956	sdchange.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	pastebin.com
46	pastebin.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002323a-12.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 1208 set thread context of 4876	1208	sdchange.exe	107
PID 3956 set thread context of 3008	3956	sdchange.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4716	schtasks.exe
3152	schtasks.exe
1568	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	RegAsm.exe
Token: SeDebugPrivilege	4912	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 5092 wrote to memory of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 5092 wrote to memory of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 5092 wrote to memory of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 5092 wrote to memory of 4912	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	91
PID 5092 wrote to memory of 4716	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	92
PID 5092 wrote to memory of 4716	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	92
PID 5092 wrote to memory of 4716	5092	b8e0c2a24d5cf91635ea9ba58a6a05f5.exe	92
PID 1208 wrote to memory of 4876	1208	sdchange.exe	107
PID 1208 wrote to memory of 4876	1208	sdchange.exe	107
PID 1208 wrote to memory of 4876	1208	sdchange.exe	107
PID 1208 wrote to memory of 4876	1208	sdchange.exe	107
PID 1208 wrote to memory of 4876	1208	sdchange.exe	107
PID 1208 wrote to memory of 3152	1208	sdchange.exe	108
PID 1208 wrote to memory of 3152	1208	sdchange.exe	108
PID 1208 wrote to memory of 3152	1208	sdchange.exe	108
PID 3956 wrote to memory of 3008	3956	sdchange.exe	115
PID 3956 wrote to memory of 3008	3956	sdchange.exe	115
PID 3956 wrote to memory of 3008	3956	sdchange.exe	115
PID 3956 wrote to memory of 3008	3956	sdchange.exe	115
PID 3956 wrote to memory of 3008	3956	sdchange.exe	115
PID 3956 wrote to memory of 1568	3956	sdchange.exe	116
PID 3956 wrote to memory of 1568	3956	sdchange.exe	116
PID 3956 wrote to memory of 1568	3956	sdchange.exe	116

C:\Users\Admin\AppData\Local\Temp\b8e0c2a24d5cf91635ea9ba58a6a05f5.exe
"C:\Users\Admin\AppData\Local\Temp\b8e0c2a24d5cf91635ea9ba58a6a05f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4716

C:\Users\Admin\secinit\sdchange.exe
C:\Users\Admin\secinit\sdchange.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:4876
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3152

C:\Users\Admin\secinit\sdchange.exe
C:\Users\Admin\secinit\sdchange.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

Filesize
316B

MD5
9f893d94b017a0684012d50319c9ffbe

SHA1
140cc2cb6b2520ba4f9a1f666a5f679853472793

SHA256
8a7cb420c82edf1bb2c7bdfef52091e5169fabaecc370e120985e91406fcbbec

SHA512
4b7df94d3622b82d852b0f532d7fd810ca2113d7b737ec417023d5b2142e9e79414a06d22647d73f8bc114f8e871a3a741a479b0aba48892f9078975ec78acba

Download Submit
C:\Users\Admin\secinit\sdchange.exe

Filesize
1.1MB

MD5
6e7ea1b3b12c25c7f8427a6cd18f70be

SHA1
f42577ca687f8b9b4acdcf6e7db7ec1686d4f3de

SHA256
c9429a69defaa7e7371ee6e7ac559be47c4abb9669c0ab50575cea5bdf25485b

SHA512
151a1f995a7a032cff050c064eebee6f38120738a47dfc99315fd1775f59f1264f502023b138c06c8adb7a1cbe46c6b4dcb4fe1910ccefd5fd658cce60894c79

Download Submit
memory/1208-18-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/3008-31-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/3008-30-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/3008-29-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-22-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-14-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4876-19-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4876-20-0x0000000002FF0000-0x0000000003000000-memory.dmp

Filesize
64KB

Download
memory/4912-11-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4912-10-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4912-7-0x00000000008C0000-0x00000000008D0000-memory.dmp

Filesize
64KB

Download
memory/4912-6-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4912-5-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/4912-1-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/5092-0-0x0000000001870000-0x0000000001871000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads