General
-
Target
BLTools.exe
-
Size
29KB
-
Sample
241117-e27gbazras
-
MD5
3a946215b3e2a3d8de77764e999a0eb0
-
SHA1
af6a6d609a095abc66c753f02b0cb1bc739e6362
-
SHA256
9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e
-
SHA512
f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f
-
SSDEEP
384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j
Behavioral task
behavioral1
Sample
BLTools.exe
Resource
win7-20241010-en
Malware Config
Extracted
limerat
bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz
-
aes_key
hakai
-
antivm
true
-
c2_url
https://pastebin.com/raw/GmxD75vS
-
delay
5
-
download_payload
false
-
install
true
-
install_name
MSVCHOST.exe
-
main_folder
AppData
-
pin_spread
true
-
sub_folder
\Microsoftt\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/GmxD75vS
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
BLTools.exe
-
Size
29KB
-
MD5
3a946215b3e2a3d8de77764e999a0eb0
-
SHA1
af6a6d609a095abc66c753f02b0cb1bc739e6362
-
SHA256
9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e
-
SHA512
f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f
-
SSDEEP
384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j
-
Limerat family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-