General
-
Target
Lime-MultiTool-main.zip
-
Size
8.5MB
-
Sample
241113-xjyqka1jdp
-
MD5
2527f8ae11ff8284413efbafd309eebe
-
SHA1
0448d5f8e6127247cf928e3bc5f8c36a4a6b7166
-
SHA256
d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c
-
SHA512
7b01d5e244ea7e55f3a0f71d4f2ce3be105b9d268190e9999bb32aca4017a5096b02fb3c04b4826a54906a6005de66ca949b4232f10161b6c4016a6a5d2249bc
-
SSDEEP
196608:qvtyXaw/YhZIIdyMGkXmyQscGZ0UDh9eAxcqctMy4yU:qFyqEqIIdyMGkXUscGFDh9eAxYlU
Behavioral task
behavioral1
Sample
Lime-MultiTool-main/src/main.py
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Lime-MultiTool-main/src/utils/__pycache__/cpython-311.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Lime-MultiTool-main/start.bat
Resource
win10v2004-20241007-en
Malware Config
Extracted
xworm
45.83.246.140:30120
-
Install_directory
%AppData%
-
install_file
runtime.exe
Targets
-
-
Target
Lime-MultiTool-main/src/main.py
-
Size
10KB
-
MD5
20bf3cb36efe0d6892662a45305c513b
-
SHA1
5b07501a82e6fbdbc267f75ad86f5ad9de6b77ab
-
SHA256
4290ec5465d14f98801de3400e0cb078586b6e27bc4bf6c7a1f87de036e8a6c9
-
SHA512
d3d719cb129ff20a1a70bc072e30a2fa18f9813631983d3e08882c88859588e13d631ebf22d0e471de3142ac292b7efabc085310d8eecbaa99b8be1245cad83c
-
SSDEEP
192:MTqreYeTbvBTHF1Z0SQuHaNOVV583zcapKENphISRfm2fT2yUAtCrBC1b8bd4CyD:MToeTbvBTlXCa7bujRs8pWS+QinACIBP
Score3/10 -
-
-
Target
Lime-MultiTool-main/src/utils/__pycache__/cpython-311.pyc
-
Size
7.4MB
-
MD5
1a2ff293768d10b8c99d3cd2950164b9
-
SHA1
e9123a3d2a53b5f8d008db9608037dd0571f3cae
-
SHA256
3c09a37412bf3981e5d678b6598c2cdad32fcd6761fc649a50693ba45746e242
-
SHA512
ff8a853675431bc36d88288546d7f467f239ae2e4e7ef019476ac4ca06f715e88f201753d7201dbfacb3b6dca51be764036372de8a8c0def29e00ae5e9469941
-
SSDEEP
98304:FWeYgI6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3z5UTfHfyk6LK4dSI23o7yc:FPYmOshoKMuIkhVastRL5Di3tO/ys42O
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Lime-MultiTool-main/start.bat
-
Size
30KB
-
MD5
288f9aa2144276b6994dbf5a69a8da59
-
SHA1
b860a86ca3c2b0bcd752c05a15d5bd745dfc506a
-
SHA256
dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4
-
SHA512
1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f
-
SSDEEP
48:92ros7BK7cp3zI8FpIJp/4eai2gF9H2YHwvfol2+:92O4dI8ihXf
Score10/10-
Detect Xworm Payload
-
Xworm family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
2Internet Connection Discovery
1Wi-Fi Discovery
1