limerat | f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d

Analysis

max time kernel
266s
max time network
294s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-11-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xdwd.exe
Size

25KB
MD5

aae04417cc07c39988d4fbe0e85fc9bd
SHA1

2d51b49f8f1faeba674dd0993911e8f65b4d2258
SHA256

f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d
SHA512

53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb
SSDEEP

384:EB+Sbj6NKIPw6LZhAHt2vTh34EnWb5j4kDhlzCTJEUmNYEYQro3lcOjsjr:CpI46Lnwt4aE+RHtN8oj

Score

10^/10

limerat credential_access discovery evasion persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1337
antivm
false
c2_url
https://pastebin.com/raw/rACMKa5f
delay
3
download_payload
false
install
true
install_name
xdwd.exe
main_folder
AppData
pin_spread
false
sub_folder
\xdwd\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/rACMKa5f
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2560	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	xdwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	xdwd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	xdwd.exe

Executes dropped EXE 3 IoCs

pid	Process
2084	xdwd.exe
3092	xdwd.exe
4532	RDPWInst.exe

Loads dropped DLL 1 IoCs

pid	Process
6112	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
54	raw.githubusercontent.com
19	pastebin.com
20	pastebin.com
40	pastebin.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2084	xdwd.exe
2084	xdwd.exe
2084	xdwd.exe
2084	xdwd.exe
2084	xdwd.exe
2084	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
6112	svchost.exe
6112	svchost.exe
6112	svchost.exe
6112	svchost.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe
3092	xdwd.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	xdwd.exe
Token: SeDebugPrivilege	2084	xdwd.exe
Token: SeDebugPrivilege	3092	xdwd.exe
Token: SeDebugPrivilege	3092	xdwd.exe
Token: SeDebugPrivilege	4532	RDPWInst.exe
Token: SeAuditPrivilege	6112	svchost.exe
Token: SeAuditPrivilege	6112	svchost.exe
Token: SeAuditPrivilege	6112	svchost.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 636	1924	xdwd.exe	87
PID 1924 wrote to memory of 636	1924	xdwd.exe	87
PID 1924 wrote to memory of 636	1924	xdwd.exe	87
PID 1924 wrote to memory of 2084	1924	xdwd.exe	89
PID 1924 wrote to memory of 2084	1924	xdwd.exe	89
PID 1924 wrote to memory of 2084	1924	xdwd.exe	89
PID 2084 wrote to memory of 3092	2084	xdwd.exe	94
PID 2084 wrote to memory of 3092	2084	xdwd.exe	94
PID 2084 wrote to memory of 3092	2084	xdwd.exe	94
PID 3092 wrote to memory of 2844	3092	xdwd.exe	95
PID 3092 wrote to memory of 2844	3092	xdwd.exe	95
PID 3092 wrote to memory of 2844	3092	xdwd.exe	95
PID 2844 wrote to memory of 4532	2844	cmd.exe	97
PID 2844 wrote to memory of 4532	2844	cmd.exe	97
PID 2844 wrote to memory of 4532	2844	cmd.exe	97
PID 4532 wrote to memory of 2560	4532	RDPWInst.exe	100
PID 4532 wrote to memory of 2560	4532	RDPWInst.exe	100

C:\Users\Admin\AppData\Local\Temp\xdwd.exe
"C:\Users\Admin\AppData\Local\Temp\xdwd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:636
- C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe
  "C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe
    "C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C RDPWInst.exe -i -o
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe
        
        RDPWInst.exe -i -o
        5⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4532
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xdwd.exe.log

Filesize
709B

MD5
2db0f6be9407032cd5037e8df1199f9f

SHA1
953224694eca90c5e325f4dec9d7280df229c635

SHA256
9631391854af05a31514d6d87f0ac19b9b4e966e9ba2a17d23ebea3f0f9dfb43

SHA512
958327e527f6e75fb25782ae769ec0862131eef7fcc83ed00be215db0a3442f3620bf8f8067132375cdd632d1ce44e3999604ca554cfb7025129150c1ce73403

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDPWInst.exe

Filesize
1.4MB

MD5
3288c284561055044c489567fd630ac2

SHA1
11ffeabbe42159e1365aa82463d8690c845ce7b7

SHA256
ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753

SHA512
c25b28a340a23a9fa932aa95075f85fdd61880f29ef96f5179097b652f69434e0f1f8825e2648b2a0de1f4b0f9b8373080a22117974fcdf44112906d330fca02

Download Submit
C:\Users\Admin\AppData\Roaming\xdwd\xdwd.exe

Filesize
25KB

MD5
aae04417cc07c39988d4fbe0e85fc9bd

SHA1
2d51b49f8f1faeba674dd0993911e8f65b4d2258

SHA256
f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d

SHA512
53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/1924-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/1924-1-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1924-2-0x0000000004A80000-0x0000000004B1C000-memory.dmp

Filesize
624KB

Download
memory/1924-3-0x0000000004B20000-0x0000000004B86000-memory.dmp

Filesize
408KB

Download
memory/1924-4-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/1924-5-0x0000000005720000-0x0000000005CC6000-memory.dmp

Filesize
5.6MB

Download
memory/1924-19-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-23-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-22-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-25-0x00000000079A0000-0x00000000079BE000-memory.dmp

Filesize
120KB

Download
memory/2084-26-0x00000000077A0000-0x00000000077AC000-memory.dmp

Filesize
48KB

Download
memory/2084-28-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-20-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-21-0x0000000074730000-0x0000000074EE1000-memory.dmp

Filesize
7.7MB

Download
memory/2084-24-0x0000000007900000-0x0000000007992000-memory.dmp

Filesize
584KB

Download
memory/3092-31-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/3092-34-0x0000000006610000-0x00000000067F0000-memory.dmp

Filesize
1.9MB

Download
memory/3092-35-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/3092-32-0x00000000029C0000-0x00000000029CE000-memory.dmp

Filesize
56KB

Download
memory/3092-30-0x0000000007880000-0x0000000007DAC000-memory.dmp

Filesize
5.2MB

Download
memory/3092-29-0x0000000007110000-0x0000000007122000-memory.dmp

Filesize
72KB

Download
memory/4532-55-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download