Analysis Overview
SHA256
63ab3ed97e8678fc1e018d9a82d94d70ca8e0aa575999dfe9c5bff6d6e32be8b
Threat Level: Known bad
The file 44fa1f9ac8f550bdf35405c89d1509f3.bin was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-11 02:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 02:04
Reported
2024-06-11 02:07
Platform
win7-20240221-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
LimeRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dlls.exe | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.sa.ngrok.io | N/A | N/A |
| N/A | 0.tcp.sa.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe
"C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
"C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 0.tcp.sa.ngrok.io | udp |
| BR | 54.94.248.37:15257 | 0.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.sa.ngrok.io | udp |
| BR | 18.229.146.63:15257 | 0.tcp.sa.ngrok.io | tcp |
Files
memory/1936-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/1936-1-0x0000000000870000-0x00000000008C0000-memory.dmp
memory/1936-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/1936-3-0x00000000745E0000-0x0000000074CCE000-memory.dmp
\Users\Admin\AppData\Local\Temp\System\Plugin.exe
| MD5 | 44fa1f9ac8f550bdf35405c89d1509f3 |
| SHA1 | 6cd17ba8d06ef044fe6d788574a73d2522c3ae8a |
| SHA256 | c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513 |
| SHA512 | 563f6300815482ce825eb2760bf63cbbdd3327b093a6d2648ffbc25365a9b9d62bd79564d106114a35ce188074615281c5487db65e0c4aa9764d7f7c226eb53a |
memory/1936-15-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-14-0x00000000012E0000-0x0000000001330000-memory.dmp
memory/2452-16-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-18-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-17-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-19-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-20-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-21-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2452-22-0x0000000000C20000-0x0000000000C3E000-memory.dmp
memory/2452-24-0x0000000000540000-0x000000000054E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 02:04
Reported
2024-06-11 02:07
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
LimeRAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.exe | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Plugin.dll.exe | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.sa.ngrok.io | N/A | N/A |
| N/A | 0.tcp.sa.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe
"C:\Users\Admin\AppData\Local\Temp\c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe'"
C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
"C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.sa.ngrok.io | udp |
| BR | 18.231.93.153:15257 | 0.tcp.sa.ngrok.io | tcp |
| US | 8.8.8.8:53 | 153.93.231.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.sa.ngrok.io | udp |
| BR | 18.231.93.153:15257 | 0.tcp.sa.ngrok.io | tcp |
Files
memory/5032-0-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/5032-1-0x0000000000360000-0x00000000003B0000-memory.dmp
memory/5032-2-0x0000000004E70000-0x0000000004F0C000-memory.dmp
memory/5032-3-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/5032-4-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/5032-5-0x0000000004DE0000-0x0000000004E46000-memory.dmp
memory/5032-6-0x0000000005570000-0x0000000005602000-memory.dmp
memory/5032-7-0x0000000005BC0000-0x0000000006164000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\System\Plugin.exe
| MD5 | 44fa1f9ac8f550bdf35405c89d1509f3 |
| SHA1 | 6cd17ba8d06ef044fe6d788574a73d2522c3ae8a |
| SHA256 | c9101aac915418735b74d5120cae0cdef803555d9a8399cf9ee5457d5c790513 |
| SHA512 | 563f6300815482ce825eb2760bf63cbbdd3327b093a6d2648ffbc25365a9b9d62bd79564d106114a35ce188074615281c5487db65e0c4aa9764d7f7c226eb53a |
memory/5032-17-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-18-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-19-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-20-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-21-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-22-0x00000000070A0000-0x00000000070BE000-memory.dmp
memory/1808-23-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/1808-24-0x0000000000BD0000-0x0000000000BDE000-memory.dmp
memory/1808-25-0x0000000007670000-0x0000000007B9C000-memory.dmp