limerat | 5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe
Size

28KB
MD5

b6168161262ecab927e7f242a8205217
SHA1

af58d73d8e6448fda100e2b39e8f88519d6739ee
SHA256

5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83
SHA512

d6d695ff173a00e515674a06de45437d8d6bc3d58345cdf5fb9679514393b7d85c24ae91156d03aefdc317b630966e1127421026e93fb2b204522116bd2d807a
SSDEEP

384:5B+Sbj6NKTpC6BZAHaMHeqDM9FrGBC5wvDKNrCeJE3WNgu5bVv2fRm5H84Qro3l0:TpTo6BZwaN9FqB6+45N/5h+fSFmj

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qtfd9ujlsq8k4uexe9z0mmp2wy8zx2d9arh2u7y

Attributes

aes_key
impecable
antivm
true
c2_url
https://pastebin.com/raw/DDTVwwbu
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/DDTVwwbu
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 pastebin.com
16 pastebin.com

flow	ioc
15	pastebin.com
16	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe

description	pid	process
Token: SeDebugPrivilege	2572	5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe
Token: SeDebugPrivilege	2572	5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe

C:\Users\Admin\AppData\Local\Temp\5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe
"C:\Users\Admin\AppData\Local\Temp\5b2941d26b47833b3928efdab43e61be1cc14eb45e9aa5ad47bad0938a8e5b83.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2572-0-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download
memory/2572-1-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2572-2-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/2572-3-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/2572-4-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download
memory/2572-5-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2572-6-0x00000000061F0000-0x0000000006282000-memory.dmp

Filesize
584KB

Download
memory/2572-7-0x000000007528E000-0x000000007528F000-memory.dmp

Filesize
4KB

Download
memory/2572-8-0x0000000075280000-0x0000000075A30000-memory.dmp

Filesize
7.7MB

Download