Resubmissions

30-05-2024 12:32

240530-pqnj6shh93 10

30-05-2024 12:29

240530-pny8wshh46 10

General

  • Target

    Rat Testing.zip

  • Size

    34KB

  • Sample

    240530-pqnj6shh93

  • MD5

    d180a2426d4455515c7ab9ff334d3028

  • SHA1

    0bb3bd1addd23913829de311415e614c6c52aa91

  • SHA256

    7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3

  • SHA512

    9cb3e9d1ad9fa465708d12158f5ae765ee32a18017f7faf33530d99d870cb4bd1525ca2435d5e97bee32b78a88afadd082d368b09d1ddb63276e791be0a662d5

  • SSDEEP

    768:lvPxlaGxY66cPR1C4+OxdgYckxQ+uYrm3k+peYx2trYeluj:lvpkIx68Vxdg54/XYkrYegj

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    0790308

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/ug38C3Hv

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

xenorat

C2

147.185.221.20

Mutex

TestingRat

Attributes
  • install_path

    appdata

  • port

    3403

  • startup_name

    Console

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/ug38C3Hv

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      Rat Testing/Lime Rat.exe

    • Size

      28KB

    • MD5

      457d2e2fabc4243730eb308bb0f4e073

    • SHA1

      7f17f6124dd7271723887350e406240888566db7

    • SHA256

      16502a5eea8d788fc294b7795f5fbb8e10788df361d70d9e842df3f3fd81b775

    • SHA512

      480b2152b2d1d150b9a0de99df0e74c1077e539cf911e59195f78c1b904882ee9ba24530c33f37defd850609881d6376e894e4a4fcbe16425b26adde3863140b

    • SSDEEP

      384:SB+Sbj6NKW3c61lAHdk9GLqDuaywywVJvDKNrCeJE3WNg8/lPnWGrtHAUMQro3lP:IpWM61lwdT9wywVB45NJEGr49j

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      Rat Testing/Xeno Rat.exe

    • Size

      45KB

    • MD5

      5bf8a2aeedfb1123eb10af5e0f0e3302

    • SHA1

      cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a

    • SHA256

      bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f

    • SHA512

      3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

    • SSDEEP

      768:FdhO/poiiUcjlJInrVH9Xqk5nWEZ5SbTDazuI7CPW5j:bw+jjgnRH9XqcnW85SbT2uIb

    Score
    10/10
    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks