Analysis
-
max time kernel
39s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 01:37
General
-
Target
BLTools 2.5 by Lukyy.exe
-
Size
95KB
-
MD5
e6df3f5026e18a97eb35edf5c0e495c9
-
SHA1
ca6735634fb04ee28e71cab27fb1fe1de150315e
-
SHA256
538edc7ac07999b9551153f7db6a90b7a4ba95cd0307d1e617a3ecde2d486d73
-
SHA512
1eb49e6b47688c5352936926ec1e07afbc6012613067da183425976b6114bb28178008a9f88b337d3c53948a41d69fd63935a4dcc0dd01399205428d6e13107e
-
SSDEEP
768:6pRS6bcwLoR9hy245NLxW+FjJ0eSvH9ZcTyrzgEhR2nsCt7CNFd7mic2knK+:6p5cwL4IXfxb1nC9ZcKOsCtKjb+
Malware Config
Extracted
limerat
bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz
-
aes_key
hakai
-
antivm
true
-
c2_url
https://pastebin.com/raw/CpekHPPQ
-
delay
5
-
download_payload
false
-
install
true
-
install_name
Microsoft.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Microsoft\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/CpekHPPQ
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Limerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLTools 2.5 by Lukyy.exe"C:\Users\Admin\AppData\Local\Temp\BLTools 2.5 by Lukyy.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe'"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5e6df3f5026e18a97eb35edf5c0e495c9
SHA1ca6735634fb04ee28e71cab27fb1fe1de150315e
SHA256538edc7ac07999b9551153f7db6a90b7a4ba95cd0307d1e617a3ecde2d486d73
SHA5121eb49e6b47688c5352936926ec1e07afbc6012613067da183425976b6114bb28178008a9f88b337d3c53948a41d69fd63935a4dcc0dd01399205428d6e13107e
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
120KB