Overview

overview

10

Static

static

5

0f12d87b67...18.exe

windows7-x64

10

0f12d87b67...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0f12d87b67f6175122a15eadddfa53bb_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240502-2vgnmsaf79

  • MD5

    0f12d87b67f6175122a15eadddfa53bb

  • SHA1

    477c5eacc92fb3e7c7fc149fc394c02e1a28eebb

  • SHA256

    0ab7b0b931490bf95e8dd6ec8e9f3d014b5c93b2ba3b3a32445f481f2db2bdb6

  • SHA512

    cae908d4849d91645c10bb43cd697696c5b1866b71ef04767f2d88523d6a1e8a1df44b0ee528c13d2e1563db10ce45c3127deb985b62f08c61d658c5a4ec0ae9

  • SSDEEP

    24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25w:/h+ZkldoPK8Ya971XjFtAw

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes
  • aes_key

    nulled

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Winservices.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/cXuQ0V20

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      0f12d87b67f6175122a15eadddfa53bb_JaffaCakes118

    • Size

      1.1MB

    • MD5

      0f12d87b67f6175122a15eadddfa53bb

    • SHA1

      477c5eacc92fb3e7c7fc149fc394c02e1a28eebb

    • SHA256

      0ab7b0b931490bf95e8dd6ec8e9f3d014b5c93b2ba3b3a32445f481f2db2bdb6

    • SHA512

      cae908d4849d91645c10bb43cd697696c5b1866b71ef04767f2d88523d6a1e8a1df44b0ee528c13d2e1563db10ce45c3127deb985b62f08c61d658c5a4ec0ae9

    • SSDEEP

      24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25w:/h+ZkldoPK8Ya971XjFtAw

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks