limerat | 44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2

General

Target

2C2A5FFD16B2C07A378245BC4903AAA8.exe
Size

910KB
MD5

2c2a5ffd16b2c07a378245bc4903aaa8
SHA1

bdf1a94e0e7acd7c5d7f61e56b88c2e16bafe71f
SHA256

44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2
SHA512

7f597122462f38f61f2246d16e0c68d2f00c2b610c3393401d2badbf5958f91dea118c23eee39ab08e37069c72bf4ac360c8696eff7b862f3ac2229cb84537ab
SSDEEP

24576:fAHnh+eWsN3skA4RV1Hom2KXMmHaoeyFxl5:Ch+ZkldoPK8Yao3

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Drops startup file 1 IoCs

Processes:

antiprimer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs antiprimer.exe
Executes dropped EXE 1 IoCs

Processes:

antiprimer.exe

pid process

5084 antiprimer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

64 pastebin.com
65 pastebin.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs	antiprimer.exe

pid	process
5084	antiprimer.exe

flow	ioc
64	pastebin.com
65	pastebin.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	autoit_exe
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

antiprimer.exe

description pid process target process

PID 5084 set thread context of 2720 5084 antiprimer.exe RegSvcs.exe

description	pid	process	target process
PID 5084 set thread context of 2720	5084	antiprimer.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

RegSvcs.exe

pid	process
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe
2720	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

antiprimer.exe

pid process

5084 antiprimer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2720 RegSvcs.exe
Token: SeDebugPrivilege 2720 RegSvcs.exe

pid	process
5084	antiprimer.exe

description	pid	process
Token: SeDebugPrivilege	2720	RegSvcs.exe
Token: SeDebugPrivilege	2720	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

2C2A5FFD16B2C07A378245BC4903AAA8.exeantiprimer.exe

pid	process
1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe
1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe
5084	antiprimer.exe
5084	antiprimer.exe
5084	antiprimer.exe
5084	antiprimer.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

2C2A5FFD16B2C07A378245BC4903AAA8.exeantiprimer.exe

pid	process
1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe
1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe
5084	antiprimer.exe
5084	antiprimer.exe
5084	antiprimer.exe
5084	antiprimer.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2C2A5FFD16B2C07A378245BC4903AAA8.exeantiprimer.exe

description	pid	process	target process
PID 1476 wrote to memory of 5084	1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe	antiprimer.exe
PID 1476 wrote to memory of 5084	1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe	antiprimer.exe
PID 1476 wrote to memory of 5084	1476	2C2A5FFD16B2C07A378245BC4903AAA8.exe	antiprimer.exe
PID 5084 wrote to memory of 2720	5084	antiprimer.exe	RegSvcs.exe
PID 5084 wrote to memory of 2720	5084	antiprimer.exe	RegSvcs.exe
PID 5084 wrote to memory of 2720	5084	antiprimer.exe	RegSvcs.exe
PID 5084 wrote to memory of 2720	5084	antiprimer.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe
"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
Filesize
6.6MB

MD5
74a7456baaa11d40b05e220702fbaa6a

SHA1
2fec80abf575549f99e37351c55f6b638b95790e

SHA256
d9a401ad73cec79b9ad9489be39a45b8456b0a9f5952727cfc5053cb18f07527

SHA512
abd18f1410ba3633ce4cb3ccfc70a9ecc87e9efff34192f74002869e554c0ca8998600ef19194e1f7d040c467477e2d7697e0531d5edf1fc6726317df3350f7f

Download Submit
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
Filesize
6.5MB

MD5
5f360d1a9529b04f7190d88efc103d98

SHA1
fc93e669dccfd3d59fb5de38ece88b6e47f7dfe0

SHA256
65c7a75bade6fb310b8b701980758cda47d5d9c2751a82a54de16465ffa5ba60

SHA512
ceebdb336e8b16a92e870020a7c1005c7edfba7a9684fae3c0d341ed3f51754eb2fa873d9a36e5948482aee4a7f530d4d3baf0bf2f70f0565cec697e2a1390f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ramada
Filesize
58KB

MD5
32be4d98c5de7245e96ec7e061fad889

SHA1
81c374db19a8a8fa7c7540c819c78419e2d215a2

SHA256
63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521

SHA512
b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708

Download Submit
C:\Users\Admin\AppData\Local\Temp\soliloquised
Filesize
28KB

MD5
d44bf10e16997be0a563a9e5b82a9aa5

SHA1
1599413100d74c8b3784b41cc0ddcbcc8fc8cc79

SHA256
4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835

SHA512
dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d

Download Submit
memory/1476-10-0x0000000000E30000-0x0000000000E34000-memory.dmp

Filesize
16KB

Download
memory/2720-30-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2720-28-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2720-29-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/2720-31-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/2720-32-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2720-33-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/2720-34-0x00000000066A0000-0x0000000006732000-memory.dmp

Filesize
584KB

Download
memory/2720-35-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2720-36-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2720-37-0x0000000007560000-0x000000000757E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads