Overview

overview

10

Static

static

10

New-Client.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    164s
  • max time network
    165s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-08-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New-Client.exe

  • Size

    28KB

  • MD5

    c322b88311ba91359d759090203972de

  • SHA1

    090597f413486ac26c76e804d4ad1fd75ab75cfc

  • SHA256

    94ac06213f18172bfc549d04695c55937b8c25c8a578458841bf45fcc0bfed38

  • SHA512

    839b677c15a87237f6eeb6fb9c2c6a400c569761b4d67d5291472b12bb6110c740c139c048f456b96421c6d56cac1f70fb24abecd80b8f3d02b08609fc88504b

  • SSDEEP

    384:7B+Sbj6NKYPpC6BZAH9i05qDOhY1xlvvDKNrCeJE3WNg5ze5V+qgcvuHQro3lcrH:lpYPo6BZw9ThYzlH45NPD06j

Score
10/10
limeratdiscoveryrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    1

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/NfVNxzHF

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    WinSession.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \SystemWinSession\

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\SystemWinSession\WinSession.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:5012
    • C:\Users\Admin\AppData\Roaming\SystemWinSession\WinSession.exe
      "C:\Users\Admin\AppData\Roaming\SystemWinSession\WinSession.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SystemWinSession\WinSession.exe
    Filesize

    28KB

    MD5

    c322b88311ba91359d759090203972de

    SHA1

    090597f413486ac26c76e804d4ad1fd75ab75cfc

    SHA256

    94ac06213f18172bfc549d04695c55937b8c25c8a578458841bf45fcc0bfed38

    SHA512

    839b677c15a87237f6eeb6fb9c2c6a400c569761b4d67d5291472b12bb6110c740c139c048f456b96421c6d56cac1f70fb24abecd80b8f3d02b08609fc88504b

    Download Submit

  • memory/1268-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1268-1-0x00000000004C0000-0x00000000004CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1268-2-0x0000000004F70000-0x000000000500C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1268-3-0x0000000005010000-0x0000000005076000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1268-4-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1268-5-0x0000000005BF0000-0x0000000006196000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1268-17-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-15-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-16-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-18-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4368-19-0x0000000074F10000-0x00000000756C1000-memory.dmp

    Filesize

    7.7MB

    Download