limerat | b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6 | Triage

Sharing

General

Target

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
Size

49KB
Sample

240424-k8j79agc9w
MD5

f8c0512008daff966ef349e7178d1239
SHA1

2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256

b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512

f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa
SSDEEP

768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I

Score

10^/10

limerat stormkitty xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7000

91.92.252.220:7000

Mutex

MeDwR8PJidtfrQQa

Attributes

Install_directory
%AppData%
install_file
explorer.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

aes.plain

Extracted

Family

limerat

Wallets

bc1q7p5qe345uqww9e4ut3nt08tu2lsgnvfsc40azt

Attributes

aes_key
KILLER
antivm
false
c2_url
https://pastebin.com/raw/4EtQAvTV
delay
3
download_payload
false
install
true
install_name
browser.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Targets

- Target
  
  b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
- Size
  
  49KB
- MD5
  
  f8c0512008daff966ef349e7178d1239
- SHA1
  
  2a74048cf5009ab0f850e3992ffe7a453e3e18a5
- SHA256
  
  b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
- SHA512
  
  f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa
- SSDEEP
  
  768:FpJRqkmuoYiL7pr4y9iIn0N+LJwdFNt9cHpa6vOAh2HVXj+T3I:FpJRqVRNr42uNBFf9ipa6vOAwVST3I
Score

10^/10

limerat stormkitty xworm persistence rat spyware stealer trojan
- Detect Xworm Payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

limeratstormkittyxwormpersistenceratspywarestealertrojan

behavioral2

xwormpersistencerattrojan