limerat | 76ccff988772b8703f093376be4b17204eb75ea5c94bfd698a956d03623826e4 | Triage

Analysis

max time kernel
297s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2024 13:06

Sharing

Report Analysis Logs

General

Target

Google.exe
Size

31KB
MD5

cc893a8b514d6874965dd29c0c473732
SHA1

69f56d454e6facba1eadffbdc7c2bf826b01ceaf
SHA256

369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a
SHA512

9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9
SSDEEP

384:71B+Sbj6NKGHU637AHtKnDqD1Hg3IWcvDKNrCeJE3WNgW1+PgpQB6SDi5GbQro3j:7vpG0637wtJA3IWS45NL+PgSB4g8jEP

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
Venom
antivm
true
c2_url
https://pastebin.com/raw/9YkEF3aU
delay
3
download_payload
false
install
true
install_name
Google.exe
main_folder
Temp
pin_spread
true
sub_folder
\system\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/9YkEF3aU
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
4772	Google.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1516	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	Google.exe
Token: SeDebugPrivilege	4772	Google.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 1516	420	Google.exe	75
PID 420 wrote to memory of 1516	420	Google.exe	75
PID 420 wrote to memory of 1516	420	Google.exe	75
PID 420 wrote to memory of 4772	420	Google.exe	77
PID 420 wrote to memory of 4772	420	Google.exe	77
PID 420 wrote to memory of 4772	420	Google.exe	77

C:\Users\Admin\AppData\Local\Temp\Google.exe
"C:\Users\Admin\AppData\Local\Temp\Google.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:420
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\system\Google.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:1516
- C:\Users\Admin\AppData\Local\Temp\system\Google.exe
  "C:\Users\Admin\AppData\Local\Temp\system\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Google.exe.log

Filesize
709B

MD5
f49074d03bf7a1147e09523a879f96e5

SHA1
c0296087924e258a80bd85cc351370becde0d8cf

SHA256
6b2164baa4e0fe1e3b0fe1094483d2f28a73694e4b0e07c03a90b01ffe582c65

SHA512
bfbbd8881c2df740997613d08e8e582cd9788b91fbcc3c06c196c0acc1a20109cd94e987b8f08fd2fc396d377dd6d7dc4144877f996db2c7bd97ac0c9a300648

Download Submit
C:\Users\Admin\AppData\Local\Temp\system\Google.exe

Filesize
31KB

MD5
cc893a8b514d6874965dd29c0c473732

SHA1
69f56d454e6facba1eadffbdc7c2bf826b01ceaf

SHA256
369caea879ce15a7146b74e59ac7e172faa742d053634bfa436637c150c0c85a

SHA512
9ce978051ec948e2178a2cbbaf3b72d8367b0b711772ab7c903c34362c0ad848d152fd73babdeca5b86a775460075f526e42ddd4a0062b7b0330b45d495ac9e9

Download Submit
memory/420-3-0x0000000005440000-0x00000000054A6000-memory.dmp

Filesize
408KB

Download
memory/420-0-0x0000000073C0E000-0x0000000073C0F000-memory.dmp

Filesize
4KB

Download
memory/420-4-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/420-5-0x0000000005FA0000-0x000000000649E000-memory.dmp

Filesize
5.0MB

Download
memory/420-2-0x00000000053A0000-0x000000000543C000-memory.dmp

Filesize
624KB

Download
memory/420-1-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/420-13-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-14-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-15-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-16-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download
memory/4772-17-0x0000000073C00000-0x00000000742EE000-memory.dmp

Filesize
6.9MB

Download