Overview

overview

10

Static

static

10

67071B5DA1...68.exe

windows7-x64

10

67071B5DA1...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67071B5DA1FB59324066982123ED7F68.exe

  • Size

    28KB

  • MD5

    67071b5da1fb59324066982123ed7f68

  • SHA1

    69dd9ef68544298fefc72ea1d9fbd363049d23b3

  • SHA256

    d938672b5d4f3a25c48474597752ff5f8af36472802a2c6767b2e7dd18506c71

  • SHA512

    7a9397b74550fe437849dbb88de5662e4750a96a07eff5684776c8f7400239419916770f158ebeab08c9b94bd6f8ed6c0e3bf80a6fbdfbc9db07ae2beb96122e

  • SSDEEP

    384:eB+Sbj6NKWh8/6DfAH94WOqDiGyChhVX7xAvDKNrCeJE3WNgPQXZxx+Jjvf9/H2S:UpWK/6Dfw9OGyChhx7xu45NXGrdNpj

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    X9twY2806eGrw9+Sl098AQ==

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/ZwyPz8sa

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/ZwyPz8sa

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67071B5DA1FB59324066982123ED7F68.exe
    "C:\Users\Admin\AppData\Local\Temp\67071B5DA1FB59324066982123ED7F68.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2512-0-0x00000000009A0000-0x00000000009AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2512-1-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-2-0x0000000000320000-0x0000000000360000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-17-0x0000000074D90000-0x000000007547E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-18-0x0000000000320000-0x0000000000360000-memory.dmp

    Filesize

    256KB

    Download