Malware Analysis Report

2024-09-11 10:20

Sample ID 240707-hx6wrswgln
Target New-Client.exe
SHA256 1bf99ff57e5e9ce74f1e53fb0642e40b5b100642e8c901ca8791e43e4f777941
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bf99ff57e5e9ce74f1e53fb0642e40b5b100642e8c901ca8791e43e4f777941

Threat Level: Known bad

The file New-Client.exe was found to be: Known bad.

Malicious Activity Summary

limerat rat

Limerat family

LimeRAT

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 07:07

Signatures

Limerat family

limerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 07:07

Reported

2024-07-07 07:08

Platform

win11-20240704-en

Max time kernel

30s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\sdfagre\aidb.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\sdfagre\aidb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\sdfagre\aidb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New-Client.exe

"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\sdfagre\aidb.exe'"

C:\Users\Admin\sdfagre\aidb.exe

"C:\Users\Admin\sdfagre\aidb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp

Files

memory/336-0-0x000000007444E000-0x000000007444F000-memory.dmp

memory/336-1-0x0000000000820000-0x000000000082C000-memory.dmp

memory/336-2-0x00000000052C0000-0x000000000535C000-memory.dmp

memory/336-3-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/336-4-0x0000000074440000-0x0000000074BF1000-memory.dmp

memory/336-5-0x00000000060B0000-0x0000000006656000-memory.dmp

C:\Users\Admin\sdfagre\aidb.exe

MD5 84da46d931269545f71141e7b44c78b6
SHA1 72468bc577e9642e0f2c30cfe8b298c019f92a60
SHA256 1bf99ff57e5e9ce74f1e53fb0642e40b5b100642e8c901ca8791e43e4f777941
SHA512 8f897acd0b559d407ec2d9a4985f0579e14b58b9e4b2d252a62d0e433eb34549cf64918da1b799afe90e98e6098915805c3bfe3917df3895d3feba03dccb372b

memory/3488-15-0x0000000074440000-0x0000000074BF1000-memory.dmp

memory/336-16-0x0000000074440000-0x0000000074BF1000-memory.dmp

memory/3488-17-0x0000000074440000-0x0000000074BF1000-memory.dmp