General

  • Target

    e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe

  • Size

    364KB

  • Sample

    241006-nkjhlawcma

  • MD5

    259572ceada05b5940a3d81727e1bbb9

  • SHA1

    e2306dbbe659272bf699668ed266cd402e4d0d31

  • SHA256

    e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14

  • SHA512

    d41bce00fdf7af762fb45d7a49df612de721af91461898d462d82358ad90e074539453b7b84cde9675d999534ee784258b0f14465bcf3716cd87c13405cccbcf

  • SSDEEP

    6144:nyTcXNIwt7tpWseWcp/Fmo6TAoqmDGclo:nWcHobZ5TT

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

15o2GcScWkMTUHBbLS2pdvaYbEAs46pEuu

Attributes
  • aes_key

    NadaNasser@1212

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/YRNWGBMr

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    document autorisation.exe

  • main_folder

    Temp

  • pin_spread

    true

  • sub_folder

    \folder\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/YRNWGBMr

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe

    • Size

      364KB

    • MD5

      259572ceada05b5940a3d81727e1bbb9

    • SHA1

      e2306dbbe659272bf699668ed266cd402e4d0d31

    • SHA256

      e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14

    • SHA512

      d41bce00fdf7af762fb45d7a49df612de721af91461898d462d82358ad90e074539453b7b84cde9675d999534ee784258b0f14465bcf3716cd87c13405cccbcf

    • SSDEEP

      6144:nyTcXNIwt7tpWseWcp/Fmo6TAoqmDGclo:nWcHobZ5TT

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

MITRE ATT&CK Enterprise v15

Tasks