limerat | d99dedb3618aaea300fa808f064259936cfae5d2dc21bc81df341fa4844e4b9c

Analysis

max time kernel
35s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New-Client.exe
Size

28KB
MD5

188d5753f08ca54e3c7fdc9b891a8f0f
SHA1

119088b50777be2505894049acbcb4c37da8e4f4
SHA256

d99dedb3618aaea300fa808f064259936cfae5d2dc21bc81df341fa4844e4b9c
SHA512

a16c5cf29b52d096aeafbdb008f21b7567abab5847af8a4aef5517632170a70528bcd929c9fdc9ef7ddfcdec3f5e91175afcac2c198539826ad69d6f52ee7c6d
SSDEEP

384:AB+Sbj6NKcxg67XAHiHQ1/qDTw3YdRcB9vDKNrCeJE3WNgGwErqp9wl538UQro3W:Opcy67Xwm3cYdR0945NjwwqnmWj

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1qtfd9ujlsq8k4uexe9z0mmp2wy8zx2d9arh2u7y

Attributes

aes_key
impecable
antivm
false
c2_url
https://pastebin.com/raw/EvUj72TT
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/EvUj72TT
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 pastebin.com
18 pastebin.com
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

New-Client.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language New-Client.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

New-Client.exe

description pid process

Token: SeDebugPrivilege 1000 New-Client.exe
Token: SeDebugPrivilege 1000 New-Client.exe

flow	ioc
17	pastebin.com
18	pastebin.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New-Client.exe

description	pid	process
Token: SeDebugPrivilege	1000	New-Client.exe
Token: SeDebugPrivilege	1000	New-Client.exe

C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1000-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/1000-1-0x0000000000D30000-0x0000000000D3C000-memory.dmp

Filesize
48KB

Download
memory/1000-2-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/1000-3-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/1000-4-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/1000-5-0x0000000006500000-0x0000000006AA4000-memory.dmp

Filesize
5.6MB

Download
memory/1000-6-0x0000000006AB0000-0x0000000006B42000-memory.dmp

Filesize
584KB

Download
memory/1000-7-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/1000-8-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads