Analysis Overview
SHA256
44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2
Threat Level: Known bad
The file 44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Loads dropped DLL
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-23 02:13
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-23 02:13
Reported
2024-03-23 02:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 352 set thread context of 4848 | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 91.92.253.74:14982 | tcp | |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.253.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 169.253.116.51.in-addr.arpa | udp |
Files
memory/2580-10-0x00000000034D0000-0x00000000034D4000-memory.dmp
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
| MD5 | 2c423f6f0043d2269d0aeaa0d24ccc05 |
| SHA1 | 30a4cc0550370f81c8703f7928cbfb7abe8ef250 |
| SHA256 | ecfd07a471be51f7f1f539582057ceeef61bea2a2918ac1b5d346e36246e1b29 |
| SHA512 | 1f52b686cc37b1168da9abeed4cf18205bc993024ca05f5be58e5f1fd9a4fa46c5fea0171b8ee891eb6e6450c92005adfdfdb132d36d36412adf570064d8f1cc |
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
| MD5 | 30e749b24576a15ae346af3a88c28631 |
| SHA1 | b65c400b5e5352f284625aea431fad406929d410 |
| SHA256 | 1331547cdf4621d35c68eb9aef1847582be2f950cae23d743b9d7cb43bda3cfc |
| SHA512 | 06151c8edd5b2beb512cc1c5bbd5ba0efc6b5dcdac58d804852f6d9e89a11c5f6b21eebab24dd2d84b147b11105bc9a8bca909bf4a41b31878c9d092b7024623 |
C:\Users\Admin\AppData\Local\Temp\Ramada
| MD5 | 32be4d98c5de7245e96ec7e061fad889 |
| SHA1 | 81c374db19a8a8fa7c7540c819c78419e2d215a2 |
| SHA256 | 63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521 |
| SHA512 | b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708 |
C:\Users\Admin\AppData\Local\Temp\soliloquised
| MD5 | d44bf10e16997be0a563a9e5b82a9aa5 |
| SHA1 | 1599413100d74c8b3784b41cc0ddcbcc8fc8cc79 |
| SHA256 | 4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835 |
| SHA512 | dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d |
memory/4848-28-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4848-30-0x0000000005800000-0x000000000589C000-memory.dmp
memory/4848-29-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/4848-31-0x0000000005760000-0x00000000057C6000-memory.dmp
memory/4848-32-0x0000000003020000-0x0000000003030000-memory.dmp
memory/4848-33-0x0000000006450000-0x00000000069F4000-memory.dmp
memory/4848-34-0x0000000006CD0000-0x0000000006D62000-memory.dmp
memory/4848-35-0x0000000074B60000-0x0000000075310000-memory.dmp
memory/4848-36-0x0000000003020000-0x0000000003030000-memory.dmp
memory/4848-37-0x0000000007CB0000-0x0000000007CCE000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 02:13
Reported
2024-03-23 02:16
Platform
win7-20240221-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antiprimer.vbs | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1204 set thread context of 2060 | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\44f8f0b67907cb91d414a1c0cb33e74e42d201e05869129a9d1d4039dbfb0fe2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 91.92.253.74:14982 | tcp |
Files
memory/2076-10-0x00000000001E0000-0x00000000001E4000-memory.dmp
\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
| MD5 | ca83529cd990a33fa2119151e14fb68e |
| SHA1 | e5d307a19c6323a60acc3ff97ad6753e3fb0aab4 |
| SHA256 | b4b8dae1a756435376665f58ef5e5cbb26fc9184c2733d06025aeec9ec93b260 |
| SHA512 | ac77422ced14503400ade10c47fa5df496bfd8ddb8ae907e07edafe2e2a7a6673a8ac7d546981e4abdecaa86030e3495138795116d7526d10c56ab2acce8401c |
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
| MD5 | af3cb4713403c020cac5201b745e42a3 |
| SHA1 | 9fb0553834190aa6c3c39b891fe721e0e30f50f2 |
| SHA256 | 1b106a6368e4b1e2f8afa45c00c9cd68473cd7d51184be70766347b7ea3eccde |
| SHA512 | 7da8e1d816b4780c7701bd48c29e92040384d92057e3aabd7ecccf0bfcd219b3bee59a4952fadec2a07cfae521a907fb69108f94bdbf98cd7f3240373136aa5a |
C:\Users\Admin\AppData\Local\Sheitan\antiprimer.exe
| MD5 | 24f0f09cbf58ccb50afe5e84f8478529 |
| SHA1 | 17a08536c544d512a25a789271278b5a5c43d8b7 |
| SHA256 | e33a81ebbee05bd12f24651a453e13130f1fbd9065423624624d1ace2b64d955 |
| SHA512 | a3a2412b896bde601495c47070ea3f7ec8b0cb26d281dbbea9fa8f5ed6bd0c931066d5cf1fb79936e7bcfd6ffeae2e50494616dfc15f6bd299bbd08ccdb41ed4 |
C:\Users\Admin\AppData\Local\Temp\soliloquised
| MD5 | d44bf10e16997be0a563a9e5b82a9aa5 |
| SHA1 | 1599413100d74c8b3784b41cc0ddcbcc8fc8cc79 |
| SHA256 | 4e8977297ad9be48eb85074f5faf95c77d20c39b42cf835c97080b7d6a1c9835 |
| SHA512 | dc6b35cddbb599e0b3710688ce75ee3d22c29d8e075960a66522e1f224a594be4bb37efdfb8bff5fd7e4e1a29f0193ba72cea365b1ae4b2377444bfb53816c1d |
C:\Users\Admin\AppData\Local\Temp\Ramada
| MD5 | 32be4d98c5de7245e96ec7e061fad889 |
| SHA1 | 81c374db19a8a8fa7c7540c819c78419e2d215a2 |
| SHA256 | 63c3db0eea414a6a465fcf05ab04338eab957e4f96bd6263c5e47d9113a6f521 |
| SHA512 | b16ff13986bbe0242aecad4b8523f19a660f1d528632c4ef70ca2d6c48a789cef9b0b97ce4a716569d7ffbc687e1679b6741eb5e721f564af97f4363a0b60708 |
memory/2060-30-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2060-34-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2060-32-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2060-35-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2060-36-0x0000000000380000-0x00000000003C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\TarE806.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/2060-74-0x00000000745F0000-0x0000000074CDE000-memory.dmp
memory/2060-75-0x0000000000380000-0x00000000003C0000-memory.dmp
memory/2060-76-0x00000000006C0000-0x00000000006DE000-memory.dmp