limerat | d6b4addbbc47751482b51bed504f390734bcb23f96936314a8a91e8dcfe47878

General

Target

IDM Crack ver_rar.scr
Size

374KB
MD5

fb829a18b62699e01513a237707de26f
SHA1

b52801a885e81570724c681f639aba188e3241e2
SHA256

c80bc3e65ac5ef54a14ccd38165fdce161ca5caae8c2c0dbc17deb7134b177f2
SHA512

1fe630ae89e02243e2a595129c8763fbb1063491ee11c8ce7819eb37e88dc2fbf5ee6a780099341da8c75510131745db67a56cf6548e05096200cdeb001b9388
SSDEEP

6144:kcxBAVFqZOt58d2cBbz0tcyVPeqPRgetQjQCItnWUTusvy00uWiqNCf:L/AViOn84cBv0XWiQjQCItn/ouW9C

Score

10^/10

limerat discovery persistence rat

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/DDTVwwbu
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Executes dropped EXE 2 IoCs

Processes:

winlogon.exemsedgeupdate.exe

pid process

1888 winlogon.exe
4408 msedgeupdate.exe

pid	process
1888	winlogon.exe
4408	msedgeupdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msedgeupdate.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Local\\chrome.exe"	msedgeupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\chrome.exe = "C:\\Users\\Admin\\AppData\\Local\\chrome.exe"	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 pastebin.com
3 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	pastebin.com
3	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IDM Crack ver_rar.scrwinlogon.exeschtasks.exemsedgeupdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IDM Crack ver_rar.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msedgeupdate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2756 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

msedgeupdate.exe

description pid process

Token: SeDebugPrivilege 4408 msedgeupdate.exe
Token: SeDebugPrivilege 4408 msedgeupdate.exe

pid	process
2756	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	4408	msedgeupdate.exe
Token: SeDebugPrivilege	4408	msedgeupdate.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

IDM Crack ver_rar.scrwinlogon.exe

description	pid	process	target process
PID 3320 wrote to memory of 1888	3320	IDM Crack ver_rar.scr	winlogon.exe
PID 3320 wrote to memory of 1888	3320	IDM Crack ver_rar.scr	winlogon.exe
PID 3320 wrote to memory of 1888	3320	IDM Crack ver_rar.scr	winlogon.exe
PID 1888 wrote to memory of 2756	1888	winlogon.exe	schtasks.exe
PID 1888 wrote to memory of 2756	1888	winlogon.exe	schtasks.exe
PID 1888 wrote to memory of 2756	1888	winlogon.exe	schtasks.exe
PID 1888 wrote to memory of 4408	1888	winlogon.exe	msedgeupdate.exe
PID 1888 wrote to memory of 4408	1888	winlogon.exe	msedgeupdate.exe
PID 1888 wrote to memory of 4408	1888	winlogon.exe	msedgeupdate.exe

C:\Users\Admin\AppData\Local\Temp\IDM Crack ver_rar.scr
"C:\Users\Admin\AppData\Local\Temp\IDM Crack ver_rar.scr" /S
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Users\Admin\AppData\Local\winlogon.exe
  "C:\Users\Admin\AppData\Local\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe'"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2756
- - C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe
    "C:\Users\Admin\AppData\Roaming\Edge\msedgeupdate.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OghCENl

Filesize
198KB

MD5
d1f66cf79d708e8b7916c46ceced613c

SHA1
8704e6c27104c8344d0a97943777dfd574825bda

SHA256
9eba4d4b7a922a73633eba001b3b60de23d7b9e15617a72db6e08687f4238cf7

SHA512
cc58bb6a7de043d35e8cf5ef2bbdcae885558937bab43b81c4777da14a33d4540954ddb010a0b2e9e108d07f4122565dc25e033ff9074383f596a5995c3e4405

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
374KB

MD5
fb829a18b62699e01513a237707de26f

SHA1
b52801a885e81570724c681f639aba188e3241e2

SHA256
c80bc3e65ac5ef54a14ccd38165fdce161ca5caae8c2c0dbc17deb7134b177f2

SHA512
1fe630ae89e02243e2a595129c8763fbb1063491ee11c8ce7819eb37e88dc2fbf5ee6a780099341da8c75510131745db67a56cf6548e05096200cdeb001b9388

Download Submit
memory/1888-9-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download
memory/1888-11-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download
memory/1888-22-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download
memory/3320-0-0x0000000073401000-0x0000000073402000-memory.dmp

Filesize
4KB

Download
memory/3320-1-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download
memory/3320-2-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download
memory/3320-10-0x0000000073400000-0x00000000739B0000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads