limerat | ceca4ad3a264bb47c499b1fd9ac2d89e70ecda197164742be6e3c57d30a3bde7

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

537A30BC79E3D7BEB31DA053F09D6F67.exe
Size

245KB
MD5

537a30bc79e3d7beb31da053f09d6f67
SHA1

d9dac6725bf93e9c700ab76601be7afd76a35193
SHA256

ceca4ad3a264bb47c499b1fd9ac2d89e70ecda197164742be6e3c57d30a3bde7
SHA512

987aad35c946117559411589cc4ea0cfd1d7fdced71f0ab71e520f0ace33224e71a938fd1b9d5bd9c60989e05594d78cbd2953d510b68e36204955019c26b032
SSDEEP

6144:qs1k2QWeQ8njlf1owqQzQOydT81lxBt25:TO3WeVpvcOye/xBt

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/6bPeUTd1
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Executes dropped EXE 1 IoCs

pid	Process
2264	Plugin.exe

Loads dropped DLL 2 IoCs

pid	Process
1176	537A30BC79E3D7BEB31DA053F09D6F67.exe
1176	537A30BC79E3D7BEB31DA053F09D6F67.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
6	0.tcp.sa.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe
2264	Plugin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	Plugin.exe
Token: SeDebugPrivilege	2264	Plugin.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2624	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	29
PID 1176 wrote to memory of 2624	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	29
PID 1176 wrote to memory of 2624	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	29
PID 1176 wrote to memory of 2624	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	29
PID 1176 wrote to memory of 2264	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	31
PID 1176 wrote to memory of 2264	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	31
PID 1176 wrote to memory of 2264	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	31
PID 1176 wrote to memory of 2264	1176	537A30BC79E3D7BEB31DA053F09D6F67.exe	31

C:\Users\Admin\AppData\Local\Temp\537A30BC79E3D7BEB31DA053F09D6F67.exe
"C:\Users\Admin\AppData\Local\Temp\537A30BC79E3D7BEB31DA053F09D6F67.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
  "C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\System\Plugin.exe

Filesize
245KB

MD5
537a30bc79e3d7beb31da053f09d6f67

SHA1
d9dac6725bf93e9c700ab76601be7afd76a35193

SHA256
ceca4ad3a264bb47c499b1fd9ac2d89e70ecda197164742be6e3c57d30a3bde7

SHA512
987aad35c946117559411589cc4ea0cfd1d7fdced71f0ab71e520f0ace33224e71a938fd1b9d5bd9c60989e05594d78cbd2953d510b68e36204955019c26b032

Download Submit
memory/1176-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

Filesize
4KB

Download
memory/1176-1-0x0000000000F40000-0x0000000000F84000-memory.dmp

Filesize
272KB

Download
memory/1176-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-16-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-13-0x00000000000A0000-0x00000000000E4000-memory.dmp

Filesize
272KB

Download
memory/2264-14-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-15-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-17-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-18-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-19-0x0000000000510000-0x000000000052E000-memory.dmp

Filesize
120KB

Download
memory/2264-20-0x0000000000370000-0x000000000037E000-memory.dmp

Filesize
56KB

Download