limerat | 44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2

General

Target

44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
Size

910KB
MD5

2c2a5ffd16b2c07a378245bc4903aaa8
SHA1

bdf1a94e0e7acd7c5d7f61e56b88c2e16bafe71f
SHA256

44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2
SHA512

7f597122462f38f61f2246d16e0c68d2f00c2b610c3393401d2badbf5958f91dea118c23eee39ab08e37069c72bf4ac360c8696eff7b862f3ac2229cb84537ab
SSDEEP

24576:fAHnh+eWsN3skA4RV1Hom2KXMmHaoeyFxl5:Ch+ZkldoPK8Yao3

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs	antiprimer.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	antiprimer.exe

Loads dropped DLL 1 IoCs

pid	Process
2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x002f0000000185eb-12.dat	autoit_exe
behavioral1/files/0x002f0000000185eb-15.dat	autoit_exe
behavioral1/files/0x002f0000000185eb-16.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 2060	1204	antiprimer.exe	29

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe
2060	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1204	antiprimer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	RegSvcs.exe
Token: SeDebugPrivilege	2060	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
1204	antiprimer.exe
1204	antiprimer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
1204	antiprimer.exe
1204	antiprimer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1204	2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe	28
PID 2076 wrote to memory of 1204	2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe	28
PID 2076 wrote to memory of 1204	2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe	28
PID 2076 wrote to memory of 1204	2076	44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe	28
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29
PID 1204 wrote to memory of 2060	1204	antiprimer.exe	29

C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
  "C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

Filesize
2.2MB

MD5
af3cb4713403c020cac5201b745e42a3

SHA1
9fb0553834190aa6c3c39b891fe721e0e30f50f2

SHA256
1b106a6368e4b1e2f8afa45c00c9cd68473cd7d51184be70766347b7ea3eccde

SHA512
7da8e1d816b4780c7701bd48c29e92040384d92057e3aabd7ecccf0bfcd219b3bee59a4952fadec2a07cfae521a907fb69108f94bdbf98cd7f3240373136aa5a

Download Submit
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

Filesize
1.4MB

MD5
24f0f09cbf58ccb50afe5e84f8478529

SHA1
17a08536c544d512a25a789271278b5a5c43d8b7

SHA256
e33a81ebbee05bd12f24651a453e13130f1fbd9065423624624d1ace2b64d955

SHA512
a3a2412b896bde601495c47070ea3f7ec8b0cb26d281dbbea9fa8f5ed6bd0c931066d5cf1fb79936e7bcfd6ffeae2e50494616dfc15f6bd299bbd08ccdb41ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ramada

Filesize
58KB

MD5
32be4d98c5de7245e96ec7e061fad889

SHA1
81c374db19a8a8fa7c7540c819c78419e2d215a2

SHA256
63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521

SHA512
b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE806.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\soliloquised

Filesize
28KB

MD5
d44bf10e16997be0a563a9e5b82a9aa5

SHA1
1599413100d74c8b3784b41cc0ddcbcc8fc8cc79

SHA256
4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835

SHA512
dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d

Download Submit
\Users\Admin\AppData\Local\Sheitan\antiprimer.exe

Filesize
3.2MB

MD5
ca83529cd990a33fa2119151e14fb68e

SHA1
e5d307a19c6323a60acc3ff97ad6753e3fb0aab4

SHA256
b4b8dae1a756435376665f58ef5e5cbb26fc9184c2733d06025aeec9ec93b260

SHA512
ac77422ced14503400ade10c47fa5df496bfd8ddb8ae907e07edafe2e2a7a6673a8ac7d546981e4abdecaa86030e3495138795116d7526d10c56ab2acce8401c

Download Submit
memory/2060-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2060-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2060-32-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2060-35-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-36-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2060-74-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2060-75-0x0000000000380000-0x00000000003C0000-memory.dmp

Filesize
256KB

Download
memory/2060-76-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download
memory/2076-10-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads