Analysis
-
max time kernel
157s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
22-03-2024 23:48
General
-
Target
2C2A5FFD16B2C07A378245BC4903AAA8.exe
-
Size
910KB
-
MD5
2c2a5ffd16b2c07a378245bc4903aaa8
-
SHA1
bdf1a94e0e7acd7c5d7f61e56b88c2e16bafe71f
-
SHA256
44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2
-
SHA512
7f597122462f38f61f2246d16e0c68d2f00c2b610c3393401d2badbf5958f91dea118c23eee39ab08e37069c72bf4ac360c8696eff7b862f3ac2229cb84537ab
-
SSDEEP
24576:fAHnh+eWsN3skA4RV1Hom2KXMmHaoeyFxl5:Ch+ZkldoPK8Yao3
Malware Config
Extracted
limerat
1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv
-
aes_key
NYANCAT
-
antivm
false
-
c2_url
https://pastebin.com/raw/LJe9sUk5
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/LJe9sUk5
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD574a7456baaa11d40b05e220702fbaa6a
SHA12fec80abf575549f99e37351c55f6b638b95790e
SHA256d9a401ad73cec79b9ad9489be39a45b8456b0a9f5952727cfc5053cb18f07527
SHA512abd18f1410ba3633ce4cb3ccfc70a9ecc87e9efff34192f74002869e554c0ca8998600ef19194e1f7d040c467477e2d7697e0531d5edf1fc6726317df3350f7f
-
Filesize
6.5MB
MD55f360d1a9529b04f7190d88efc103d98
SHA1fc93e669dccfd3d59fb5de38ece88b6e47f7dfe0
SHA25665c7a75bade6fb310b8b701980758cda47d5d9c2751a82a54de16465ffa5ba60
SHA512ceebdb336e8b16a92e870020a7c1005c7edfba7a9684fae3c0d341ed3f51754eb2fa873d9a36e5948482aee4a7f530d4d3baf0bf2f70f0565cec697e2a1390f4
-
Filesize
58KB
MD532be4d98c5de7245e96ec7e061fad889
SHA181c374db19a8a8fa7c7540c819c78419e2d215a2
SHA25663c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521
SHA512b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708
-
Filesize
28KB
MD5d44bf10e16997be0a563a9e5b82a9aa5
SHA11599413100d74c8b3784b41cc0ddcbcc8fc8cc79
SHA2564e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835
SHA512dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d
-
Filesize
16KB
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
120KB