limerat | 13a21602d5f5fceadfb7e45828fe76a44dc2dab2932fed665938715af574be9d

General

Target

MuRra1N Installer.exe
Size

15.7MB
MD5

037ac0e6baf12a5eaf477c48fe923f2e
SHA1

19cadd63865579f4f7ceee970c731d9ff0e5a20a
SHA256

13a21602d5f5fceadfb7e45828fe76a44dc2dab2932fed665938715af574be9d
SHA512

70f80fc9bd3c9b163d694376b294619810099146b09b0bf479e5435001758bbe9450ba72766e4cdb873e68c205d9f85df6fc4129f33f7043fc90f86bc4c4e5b0
SSDEEP

393216:5NqIqvpE65+X2WPccsW9DM27doT6VWD2Ln9CDuIuLGgvKcE:50i6UmGM27mmsAn9C6fGgv/

Score

10^/10

Malware Config

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4720-2-0x000000000B890000-0x000000000CBFE000-memory.dmp	disable_win_def
behavioral1/memory/436-48-0x00000000002A0000-0x0000000001316000-memory.dmp	disable_win_def
behavioral1/memory/436-49-0x00000000002A0000-0x0000000001316000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MuRra1N.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MuRra1N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MuRra1N.exe

Executes dropped EXE 1 IoCs

pid	Process
436	MuRra1N.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Wine	MuRra1N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
9	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
436	MuRra1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	MuRra1N Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	MuRra1N Installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4720	MuRra1N Installer.exe
4720	MuRra1N Installer.exe
436	MuRra1N.exe
436	MuRra1N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4720	MuRra1N Installer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	MuRra1N Installer.exe
Token: SeDebugPrivilege	436	MuRra1N.exe
Token: 33	4016	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4016	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
436	MuRra1N.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
436	MuRra1N.exe

C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\Downloads\MuRra1N.exe
"C:\Users\Admin\Downloads\MuRra1N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\7f259fe638f74961afe0902f8e73485f /t 2100 /p 436
1⤵
PID:4048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\MISC\PORTS.dat

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\Downloads\Misc\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\MuRra1N.exe

Filesize
9.8MB

MD5
29cfe05afad44fdbc83fa3671891688f

SHA1
429de9b3429abd612c7c8343614c62e17ff4130b

SHA256
1479cd2a1a05c905f63483a40d9ec251f044161a81fb585e4d7d469b7bc291af

SHA512
c749c45924d4059f30ba918b31856cea7b6c74e4ebd982dc2dd05c3de3a30014ac38e45eeb796c447450bb07e02c2da00c61126709995ff4ff3bf0266ad842e5

Download Submit
C:\Users\Admin\Downloads\MuRra1N.exe.config

Filesize
9KB

MD5
1d1c996b6ff660cdb29884546d94d7f5

SHA1
259123cf0e5bfeba4a44704858751042f1b036c4

SHA256
7ed841b0dfa126544b3f115a70584a2a6b0e3772b937ae1f3217339cbdf899c7

SHA512
825e1ad2696d1516714c619a1a2187ffa3b34dd4d6d231ed7d2abb1493fdbc601417935ac8ac7d7abecf6ad920210a88d5a8c1831d4194392aa0f771c6e63e58

Download Submit
memory/436-66-0x000000000D7A0000-0x000000000DAF7000-memory.dmp

Filesize
3.3MB

Download
memory/436-55-0x00000000002A0000-0x0000000001316000-memory.dmp

Filesize
16.5MB

Download
memory/436-52-0x000000000AF10000-0x000000000AF76000-memory.dmp

Filesize
408KB

Download
memory/436-51-0x0000000007EC0000-0x0000000007F16000-memory.dmp

Filesize
344KB

Download
memory/436-50-0x0000000007E30000-0x0000000007E3A000-memory.dmp

Filesize
40KB

Download
memory/436-49-0x00000000002A0000-0x0000000001316000-memory.dmp

Filesize
16.5MB

Download
memory/436-48-0x00000000002A0000-0x0000000001316000-memory.dmp

Filesize
16.5MB

Download
memory/436-46-0x00000000002A0000-0x0000000001316000-memory.dmp

Filesize
16.5MB

Download
memory/4720-7-0x0000000009190000-0x0000000009198000-memory.dmp

Filesize
32KB

Download
memory/4720-8-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-14-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-15-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-43-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-12-0x000000007505E000-0x000000007505F000-memory.dmp

Filesize
4KB

Download
memory/4720-11-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-10-0x000000000A4A0000-0x000000000A4AE000-memory.dmp

Filesize
56KB

Download
memory/4720-9-0x000000000A4E0000-0x000000000A518000-memory.dmp

Filesize
224KB

Download
memory/4720-13-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-0-0x000000007505E000-0x000000007505F000-memory.dmp

Filesize
4KB

Download
memory/4720-6-0x0000000009010000-0x00000000090A2000-memory.dmp

Filesize
584KB

Download
memory/4720-5-0x0000000008CD0000-0x0000000008D6C000-memory.dmp

Filesize
624KB

Download
memory/4720-4-0x00000000091A0000-0x0000000009746000-memory.dmp

Filesize
5.6MB

Download
memory/4720-3-0x0000000075050000-0x0000000075801000-memory.dmp

Filesize
7.7MB

Download
memory/4720-2-0x000000000B890000-0x000000000CBFE000-memory.dmp

Filesize
19.4MB

Download
memory/4720-1-0x0000000000B10000-0x0000000001AC6000-memory.dmp

Filesize
15.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads