Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe

"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"

Network

N/A

Files

memory/2908-10-0x0000000000120000-0x0000000000124000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 23:48

Reported

2024-03-22 23:51

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"

Signatures

LimeRAT

rat limerat

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

AutoIT Executable

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 5084 set thread context of 2720	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1476 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
PID 1476 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
PID 1476 wrote to memory of 5084	N/A	C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
PID 5084 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5084 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5084 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5084 wrote to memory of 2720	N/A	C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe

"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"

C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\2C2A5FFD16B2C07A378245BC4903AAA8.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	73.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	61.179.17.96.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	9.228.82.20.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	41.110.16.96.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	149.220.183.52.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	217.135.221.88.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	204.79.197.200:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	200.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp
US	172.67.34.170:443	pastebin.com	tcp
US	8.8.8.8:53	170.34.67.172.in-addr.arpa	udp
NL	91.92.253.74:14982		tcp
US	8.8.8.8:53	74.253.92.91.in-addr.arpa	udp
US	8.8.8.8:53	45.179.17.96.in-addr.arpa	udp
US	8.8.8.8:53	4.173.189.20.in-addr.arpa	udp

Files

memory/1476-10-0x0000000000E30000-0x0000000000E34000-memory.dmp

C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

MD5	74a7456baaa11d40b05e220702fbaa6a
SHA1	2fec80abf575549f99e37351c55f6b638b95790e
SHA256	d9a401ad73cec79b9ad9489be39a45b8456b0a9f5952727cfc5053cb18f07527
SHA512	abd18f1410ba3633ce4cb3ccfc70a9ecc87e9efff34192f74002869e554c0ca8998600ef19194e1f7d040c467477e2d7697e0531d5edf1fc6726317df3350f7f

C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

MD5	5f360d1a9529b04f7190d88efc103d98
SHA1	fc93e669dccfd3d59fb5de38ece88b6e47f7dfe0
SHA256	65c7a75bade6fb310b8b701980758cda47d5d9c2751a82a54de16465ffa5ba60
SHA512	ceebdb336e8b16a92e870020a7c1005c7edfba7a9684fae3c0d341ed3f51754eb2fa873d9a36e5948482aee4a7f530d4d3baf0bf2f70f0565cec697e2a1390f4

C:\Users\Admin\AppData\Local\Temp\Ramada

MD5	32be4d98c5de7245e96ec7e061fad889
SHA1	81c374db19a8a8fa7c7540c819c78419e2d215a2
SHA256	63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521
SHA512	b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708

C:\Users\Admin\AppData\Local\Temp\soliloquised

MD5	d44bf10e16997be0a563a9e5b82a9aa5
SHA1	1599413100d74c8b3784b41cc0ddcbcc8fc8cc79
SHA256	4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835
SHA512	dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d

memory/2720-28-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2720-30-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2720-29-0x00000000050A0000-0x000000000513C000-memory.dmp

memory/2720-31-0x0000000004FF0000-0x0000000005056000-memory.dmp

memory/2720-32-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2720-33-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/2720-34-0x00000000066A0000-0x0000000006732000-memory.dmp

memory/2720-35-0x00000000749C0000-0x0000000075170000-memory.dmp

memory/2720-36-0x0000000004F70000-0x0000000004F80000-memory.dmp

memory/2720-37-0x0000000007560000-0x000000000757E000-memory.dmp

Sample ID	240322-3tn7rsdc6w
Target	2C2A5FFD16B2C07A378245BC4903AAA8.exe
SHA256	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2
Tags	limerat rat

Malware Analysis Report

2024-09-11 10:04

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files