Overview

overview

10

Static

static

3

537A30BC79...67.exe

windows7-x64

10

537A30BC79...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-06-2024 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    537A30BC79E3D7BEB31DA053F09D6F67.exe

  • Size

    245KB

  • MD5

    537a30bc79e3d7beb31da053f09d6f67

  • SHA1

    d9dac6725bf93e9c700ab76601be7afd76a35193

  • SHA256

    ceca4ad3a264bb47c499b1fd9ac2d89e70ecda197164742be6e3c57d30a3bde7

  • SHA512

    987aad35c946117559411589cc4ea0cfd1d7fdced71f0ab71e520f0ace33224e71a938fd1b9d5bd9c60989e05594d78cbd2953d510b68e36204955019c26b032

  • SSDEEP

    6144:qs1k2QWeQ8njlf1owqQzQOydT81lxBt25:TO3WeVpvcOye/xBt

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/6bPeUTd1

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\537A30BC79E3D7BEB31DA053F09D6F67.exe
    "C:\Users\Admin\AppData\Local\Temp\537A30BC79E3D7BEB31DA053F09D6F67.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
      2⤵
      • Creates scheduled task(s)
      PID:3700
    • C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
      "C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
    Filesize

    245KB

    MD5

    537a30bc79e3d7beb31da053f09d6f67

    SHA1

    d9dac6725bf93e9c700ab76601be7afd76a35193

    SHA256

    ceca4ad3a264bb47c499b1fd9ac2d89e70ecda197164742be6e3c57d30a3bde7

    SHA512

    987aad35c946117559411589cc4ea0cfd1d7fdced71f0ab71e520f0ace33224e71a938fd1b9d5bd9c60989e05594d78cbd2953d510b68e36204955019c26b032

    Download Submit

  • memory/1468-20-0x0000000007650000-0x000000000766E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1468-19-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1468-23-0x0000000007F00000-0x000000000842C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1468-22-0x00000000076F0000-0x00000000076FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1468-21-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1468-16-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1468-18-0x0000000007830000-0x00000000078C2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1468-17-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1812-15-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1812-3-0x0000000075080000-0x0000000075830000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1812-1-0x0000000000800000-0x0000000000844000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1812-0-0x000000007508E000-0x000000007508F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1812-5-0x0000000006050000-0x00000000065F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1812-4-0x00000000051E0000-0x0000000005246000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1812-2-0x0000000005300000-0x000000000539C000-memory.dmp

    Filesize

    624KB

    Download