Overview

overview

10

Static

static

10

New-Client.exe

windows10-2004-x64

Analysis

  • max time kernel
    24s
  • max time network
    25s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 15:12

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    New-Client.exe

  • Size

    28KB

  • MD5

    2d0c62fc7cc0fcddec7cdfd2b4aacbd7

  • SHA1

    6dab1f5cb32d4c3a5f8789b07f4c2930a49d1956

  • SHA256

    d89a56bbfa46016796046572213f98af65abdd863fef32f8eaf50ace8fb1f921

  • SHA512

    e48f0474c68674a4907f22f89f6a6f3f074128731e5ee453e3482d22851d567055b9b49fe21b30f9c1858fa2276ec5bd34a3abe8205c530550ff4a2ea9826e53

  • SSDEEP

    384:0B+Sbj6NKSfa6JBAHNefWXqDpOinsmsDdvDKNrCeJE3WNgOT5E/JXr4CQro3lcTR:ypSS6JBwNOOism0d45NP5211wj

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    07903088

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/J0uqtmU4

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/J0uqtmU4

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\Shutdown.exe
      Shutdown /s /f /t 00
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3820
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39b7855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4448-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4448-1-0x0000000000F20000-0x0000000000F2C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4448-2-0x00000000058F0000-0x000000000598C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4448-3-0x0000000005A00000-0x0000000005A66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4448-4-0x0000000074FE0000-0x0000000075790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4448-5-0x00000000066E0000-0x0000000006C84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4448-6-0x0000000007B10000-0x0000000007BA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4448-7-0x0000000007A60000-0x0000000007A6C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4448-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

    Filesize

    7.7MB

    Download