Overview

overview

10

Static

static

5

44f8f0b679...e2.exe

windows7-x64

10

44f8f0b679...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2024 02:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe

  • Size

    910KB

  • MD5

    2c2a5ffd16b2c07a378245bc4903aaa8

  • SHA1

    bdf1a94e0e7acd7c5d7f61e56b88c2e16bafe71f

  • SHA256

    44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2

  • SHA512

    7f597122462f38f61f2246d16e0c68d2f00c2b610c3393401d2badbf5958f91dea118c23eee39ab08e37069c72bf4ac360c8696eff7b862f3ac2229cb84537ab

  • SSDEEP

    24576:fAHnh+eWsN3skA4RV1Hom2KXMmHaoeyFxl5:Ch+ZkldoPK8Yao3

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes
  • aes_key

    NYANCAT

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/LJe9sUk5

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
    "C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2580
    • C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
      "C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
    Filesize

    20.9MB

    MD5

    2c423f6f0043d2269d0aeaa0d24ccc05

    SHA1

    30a4cc0550370f81c8703f7928cbfb7abe8ef250

    SHA256

    ecfd07a471be51f7f1f539582057ceeef61bea2a2918ac1b5d346e36246e1b29

    SHA512

    1f52b686cc37b1168da9abeed4cf18205bc993024ca05f5be58e5f1fd9a4fa46c5fea0171b8ee891eb6e6450c92005adfdfdb132d36d36412adf570064d8f1cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
    Filesize

    14.9MB

    MD5

    30e749b24576a15ae346af3a88c28631

    SHA1

    b65c400b5e5352f284625aea431fad406929d410

    SHA256

    1331547cdf4621d35c68eb9aef1847582be2f950cae23d743b9d7cb43bda3cfc

    SHA512

    06151c8edd5b2beb512cc1c5bbd5ba0efc6b5dcdac58d804852f6d9e89a11c5f6b21eebab24dd2d84b147b11105bc9a8bca909bf4a41b31878c9d092b7024623

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Ramada
    Filesize

    58KB

    MD5

    32be4d98c5de7245e96ec7e061fad889

    SHA1

    81c374db19a8a8fa7c7540c819c78419e2d215a2

    SHA256

    63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521

    SHA512

    b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\soliloquised
    Filesize

    28KB

    MD5

    d44bf10e16997be0a563a9e5b82a9aa5

    SHA1

    1599413100d74c8b3784b41cc0ddcbcc8fc8cc79

    SHA256

    4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835

    SHA512

    dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d

    Download Submit

  • memory/2580-10-0x00000000034D0000-0x00000000034D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4848-30-0x0000000005800000-0x000000000589C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4848-28-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4848-29-0x0000000074B60000-0x0000000075310000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-31-0x0000000005760000-0x00000000057C6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4848-32-0x0000000003020000-0x0000000003030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-33-0x0000000006450000-0x00000000069F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4848-34-0x0000000006CD0000-0x0000000006D62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4848-35-0x0000000074B60000-0x0000000075310000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4848-36-0x0000000003020000-0x0000000003030000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4848-37-0x0000000007CB0000-0x0000000007CCE000-memory.dmp

    Filesize

    120KB

    Download