Overview

overview

10

Static

static

3

eb1a9295b1...18.exe

windows7-x64

10

eb1a9295b1...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240410-p1wnjabc6z

  • MD5

    eb1a9295b13583f1d12db61027e72fa3

  • SHA1

    a44c8f2bdc54110ce7d295bb0b92a0212177dd77

  • SHA256

    bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e

  • SHA512

    f94100cd6099376120677f51ed2b8c0438302f844a54f598a9675dc5c7486e6ae30b41e12ffeae51941c17e9438f293d3de2992c0cdc6a601ffa778a273e1365

  • SSDEEP

    49152:p0Wr2+2NRopvMx5qqLDp2iOzouQs6wt1rp9X/M:WwkkEx5VDOzrQs6EvNk

Score
10/10
asyncratlimeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    @mustleak

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/c3Nu1fZy

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    snchost.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \bite\

  • usb_spread

    true

Extracted

Family

asyncrat

Version

0.5.4H

Mutex

extiqtrzeqtxqjoa

Attributes
  • delay

    0

  • install

    true

  • install_file

    scvhost.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/X37Jy9jA

aes.plain

Targets

    • Target

      eb1a9295b13583f1d12db61027e72fa3_JaffaCakes118

    • Size

      2.2MB

    • MD5

      eb1a9295b13583f1d12db61027e72fa3

    • SHA1

      a44c8f2bdc54110ce7d295bb0b92a0212177dd77

    • SHA256

      bcbc3eac0f777f27bdacb1cdade005bf50860fded0fa39205a66f5c9560ab80e

    • SHA512

      f94100cd6099376120677f51ed2b8c0438302f844a54f598a9675dc5c7486e6ae30b41e12ffeae51941c17e9438f293d3de2992c0cdc6a601ffa778a273e1365

    • SSDEEP

      49152:p0Wr2+2NRopvMx5qqLDp2iOzouQs6wt1rp9X/M:WwkkEx5VDOzrQs6EvNk

    Score
    10/10
    asyncratlimeratrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks