Malware Analysis Report

2024-09-11 10:20

Sample ID 240704-vvgv3sscpb
Target RatTesting.zip
SHA256 7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3
Tags
limerat xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d0608d6ae56de15aa0acc4942e7f2aebd232bba4e48d867bad9ce46776b3fd3

Threat Level: Known bad

The file RatTesting.zip was found to be: Known bad.

Malicious Activity Summary

limerat xenorat rat trojan

Limerat family

XenorRat

Xenorat family

LimeRAT

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-04 17:18

Signatures

Limerat family

limerat

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:22

Platform

win7-20240508-en

Max time kernel

127s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 147.185.221.20:3069 tcp
US 147.185.221.20:3069 tcp
US 147.185.221.20:3069 tcp
US 147.185.221.20:3069 tcp
US 147.185.221.20:3069 tcp
US 147.185.221.20:3069 tcp

Files

memory/2012-0-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2012-1-0x0000000000D80000-0x0000000000D8C000-memory.dmp

memory/2012-2-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2012-3-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2012-4-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Signatures

LimeRAT

rat limerat

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Lime Rat.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/2160-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/2160-1-0x0000000000800000-0x000000000080C000-memory.dmp

memory/2160-2-0x0000000005180000-0x000000000521C000-memory.dmp

memory/2160-3-0x0000000005220000-0x0000000005286000-memory.dmp

memory/2160-4-0x00000000751F0000-0x00000000759A0000-memory.dmp

memory/2160-5-0x0000000005E60000-0x0000000006404000-memory.dmp

memory/2160-6-0x00000000751FE000-0x00000000751FF000-memory.dmp

memory/2160-7-0x00000000751F0000-0x00000000759A0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win7-20240419-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58C.tmp" /F

Network

Country Destination Domain Proto
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp

Files

memory/2288-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/2288-1-0x00000000000A0000-0x00000000000B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

MD5 5bf8a2aeedfb1123eb10af5e0f0e3302
SHA1 cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256 bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA512 3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

memory/2112-9-0x0000000000200000-0x0000000000212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp58C.tmp

MD5 0e29fbc9d75d451bb7b67f39780c4a90
SHA1 e1029b49a55d95816055da478445478d019b8683
SHA256 34268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512 817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c

memory/2112-12-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-13-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-14-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2112-15-0x0000000073FB0000-0x000000007469E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-04 17:18

Reported

2024-07-04 17:21

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat Testing\Xeno Rat.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 147.185.221.20:3403 tcp
US 147.185.221.20:3403 tcp

Files

memory/2152-0-0x000000007522E000-0x000000007522F000-memory.dmp

memory/2152-1-0x0000000000680000-0x0000000000692000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno Rat.exe

MD5 5bf8a2aeedfb1123eb10af5e0f0e3302
SHA1 cdb9c4090f4ff8b9a5d94eaae30c15f4916e177a
SHA256 bf0927a0af35c23071466397ab21b38951d5847a4c7dda419d83a1a98183b12f
SHA512 3fa42409cea75c32b6323567fd7f03f10fd220fd73a93e4ba4d6bf998b228377e404d1a050f32e952b742c8d89a7e2384c14129608814711e285bfad33024983

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno Rat.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3112-18-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/3112-17-0x0000000075220000-0x00000000759D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4585.tmp

MD5 0e29fbc9d75d451bb7b67f39780c4a90
SHA1 e1029b49a55d95816055da478445478d019b8683
SHA256 34268bc2fe7b655c624dfba5e5740aa5d8c816d13e917a46211c746ae4ab8bf9
SHA512 817216c5022e6faee6ef3f35f57d6e7d1238333c461c6dffc2c77f332a670ea0e772f2f910e45ef76c36427bec36f16c55e2fb9ce11f11e0a465c3980e6f1a1c

memory/3112-19-0x0000000075220000-0x00000000759D0000-memory.dmp