General

  • Target

    HWID Changer by SILENQER.rar

  • Size

    1.2MB

  • Sample

    241123-wbtwzavqbj

  • MD5

    9618195bdd5dec9818ecdca58f3fedfc

  • SHA1

    3d27be6df4268a85fd11b81c3612f4b416e8528a

  • SHA256

    078f237e95224e906f03b4920f9b42e82ce461f7ea86505eaa45f4de26aa4f65

  • SHA512

    f3d6bd7f106a424aa70e28119a9bb9d775db18f295af8682ca4345e8078a8d06aa501b4c2c8276d73cd247d61b5c36d404c97c077795fbedeb6a5dd961668286

  • SSDEEP

    24576:MejLlIfi99BFfJwJjNE8MoOGx4+RuV6wFmW5llN+LSi50B/m8:MIlOpq8MoJ14VBFm+MLcB/P

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    Remcos

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/fBSseKkF

  • delay

    3

  • download_payload

    false

  • install

    false

  • install_name

    Wservices.exe

  • main_folder

    Temp

  • pin_spread

    false

  • sub_folder

    \

  • usb_spread

    false

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/fBSseKkF

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      HWID Changer by SILENQER/HWID Changer.exe

    • Size

      237KB

    • MD5

      aee0ba7c69ab3449557a52ed4e6fe7db

    • SHA1

      a9700d9644b4f88f9d8232096719f1428402c8b1

    • SHA256

      2e93d89eefb4edf698d8f695c93efe3e797c01655af6194b5c0d566f37a365fd

    • SHA512

      ed0af7dbb27d10e47661c6d6fcea0753fb423f012f47bc2ea6b11bb8fdfe699e1f2cf482248450553d5813c894460bca4de51e655c216e08a87ac805108bf8b5

    • SSDEEP

      3072:r4llGPkV6jW+tKFh36Lv+GSBADfBZRBadxlv:r6lGsMrETGmALon

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Limerat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    • Target

      HWID Changer by SILENQER/compreg/Ionic.Zip.dll

    • Size

      480KB

    • MD5

      f6933bf7cee0fd6c80cdf207ff15a523

    • SHA1

      039eeb1169e1defe387c7d4ca4021bce9d11786d

    • SHA256

      17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

    • SHA512

      88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

    • SSDEEP

      6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9

    Score
    1/10
    • Target

      HWID Changer by SILENQER/compreg/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      HWID Changer by SILENQER/compreg/config.exe

    • Size

      1.1MB

    • MD5

      fa841009c24985df81baae7d44f3e3ee

    • SHA1

      aebdcf268615a1de7f330bed68edd3a3a86e244e

    • SHA256

      793601e28e74f3850b8ea2ae83f87d34ad6d469e2ff334b8987f414aab8577b4

    • SHA512

      1d58d842d4572029aa2887a289edf19e8e33e2b5e3d387fcab4470535cd4cfb45b44d1f8bae8798ffd1a45e089510b52b9925402cb5648e5a10889705cfd41f9

    • SSDEEP

      24576:eR+cl7X1BRnI6hmebbe1dEt8QR04TG8Ev4P0D6epjKXwzG3X8MHf3VDTXK:a+clb1BRntmeXKd9Q3G85sDzpOXoE8x

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Limerat family

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks