Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	pastebin.com	udp
US	104.20.3.235:443	pastebin.com	tcp
US	147.185.221.20:3069		tcp
US	147.185.221.20:3069		tcp
US	147.185.221.20:3069		tcp
US	147.185.221.20:3069		tcp
US	147.185.221.20:3069		tcp
US	147.185.221.20:3069		tcp

Files

memory/2012-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2012-1-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/2012-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2012-3-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2012-4-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A
N/A	pastebin.com	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp
US	8.8.8.8:53	pastebin.com	udp

Files

memory/2160-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/2160-1-0x0000000000800000-0x000000000080C000-memory.dmp

memory/2160-2-0x0000000005180000-0x000000000521C000-memory.dmp

memory/2160-3-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2160-4-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2160-5-0x0000000005E60000-0x0000000006404000-memory.dmp

memory/2160-6-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/2160-7-0x00000000751F0000-0x00000000759A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win7-20240419-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2288 wrote to memory of 2112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2288 wrote to memory of 2112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2288 wrote to memory of 2112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2288 wrote to memory of 2112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2112 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2112 wrote to memory of 2368	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58C.tmp" /F

Network

Country	Destination	Domain	Proto
US	147.185.221.20:3403		tcp
US	147.185.221.20:3403		tcp
US	147.185.221.20:3403		tcp
US	147.185.221.20:3403		tcp
US	147.185.221.20:3403		tcp

Files

memory/2288-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/2288-1-0x00000000000A0000-0x00000000000B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

MD5	5bf8a2aeedfb1123eb10af5e0f0e3302
SHA1	cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256	bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA512	3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

memory/2112-9-0x0000000000200000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp58C.tmp

MD5	0e29fbc9d75d451bb7b67f39780c4a90
SHA1	e1029b49a55d95816055da478445478d019b8683
SHA256	34268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512	817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c

memory/2112-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-13-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-14-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-15-0x0000000073FB0000-0x000000007469E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2152 wrote to memory of 3112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2152 wrote to memory of 3112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 2152 wrote to memory of 3112	N/A	C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe
PID 3112 wrote to memory of 4896	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3112 wrote to memory of 4896	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3112 wrote to memory of 4896	N/A	C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe	C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp" /F

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
US	8.8.8.8:53	73.144.22.2.in-addr.arpa	udp
US	8.8.8.8:53	14.160.190.20.in-addr.arpa	udp
US	147.185.221.20:3403		tcp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	147.185.221.20:3403		tcp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	147.185.221.20:3403		tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	147.185.221.20:3403		tcp
US	147.185.221.20:3403		tcp

Files

memory/2152-0-0x000000007522E000-0x000000007522F000-memory.dmp

memory/2152-1-0x0000000000680000-0x0000000000692000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

MD5	5bf8a2aeedfb1123eb10af5e0f0e3302
SHA1	cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256	bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA512	3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno Rat.exe.log

MD5	916851e072fbabc4796d8916c5131092
SHA1	d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256	7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512	07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3112-18-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3112-17-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp

MD5	0e29fbc9d75d451bb7b67f39780c4a90
SHA1	e1029b49a55d95816055da478445478d019b8683
SHA256	34268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512	817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c

memory/3112-19-0x0000000075220000-0x00000000759D0000-memory.dmp

Sample ID	240704-vvgv3sscpb
Target	RatTesting.zip
SHA256	7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3
Tags	limerat xenorat rat trojan

Malware Analysis Report

2024-09-11 10:20

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files