Malware Analysis Report

2024-08-06 18:38

Sample ID 240530-pqnj6shh93
Target Rat Testing.zip
SHA256 7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3
Tags
limerat rat xenorat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3

Threat Level: Known bad

The file Rat Testing.zip was found to be: Known bad.

Malicious Activity Summary

limerat rat xenorat trojan

Limerat family

XenorRat

Xenorat family

LimeRAT

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-30 12:32

Signatures

Limerat family

limerat

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 12:32

Reported

2024-05-30 12:37

Platform

win10v2004-20240426-en

Max time kernel

302s

Max time network

306s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 147.185.221.20:3069 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/2336-0-0x000000007509E000-0x000000007509F000-memory.dmp

memory/2336-1-0x0000000000780000-0x000000000078C000-memory.dmp

memory/2336-2-0x0000000005180000-0x000000000521C000-memory.dmp

memory/2336-3-0x00000000050E0000-0x0000000005146000-memory.dmp

memory/2336-4-0x0000000075090000-0x0000000075840000-memory.dmp

memory/2336-5-0x0000000005F60000-0x0000000006504000-memory.dmp

memory/2336-6-0x0000000007150000-0x00000000071E2000-memory.dmp

memory/2336-7-0x000000007509E000-0x000000007509F000-memory.dmp

memory/2336-8-0x0000000075090000-0x0000000075840000-memory.dmp

memory/2336-9-0x0000000001030000-0x000000000103A000-memory.dmp

memory/2336-11-0x0000000075090000-0x0000000075840000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 12:32

Reported

2024-05-30 12:34

Platform

win10v2004-20240426-en

Max time kernel

89s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 3068 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 3068 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 1588 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe C:\Windows\SysWOW64\schtasks.exe
PID 1588 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3587.tmp" /F

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x31c 0x4c0

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp

Files

memory/3068-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/3068-1-0x00000000002C0000-0x00000000002D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

MD5 5bf8a2aeedfb1123eb10af5e0f0e3302
SHA1 cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256 bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA512 3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno Rat.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1588-16-0x0000000074B90000-0x0000000075340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3587.tmp

MD5 0e29fbc9d75d451bb7b67f39780c4a90
SHA1 e1029b49a55d95816055da478445478d019b8683
SHA256 34268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512 817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c

memory/1588-18-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/1588-19-0x0000000005DC0000-0x0000000005E26000-memory.dmp

memory/1588-20-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/1588-21-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/1588-22-0x0000000005D70000-0x0000000005D7A000-memory.dmp

memory/1588-23-0x00000000065F0000-0x0000000006B94000-memory.dmp

memory/1588-24-0x0000000006140000-0x00000000061D2000-memory.dmp