Overview
overview
10Static
static
3HWID Chang...er.exe
windows7-x64
10HWID Chang...er.exe
windows7-x64
10HWID Chang...ip.dll
windows10-2004-x64
1HWID Chang...ip.dll
windows7-x64
1HWID Chang...er.exe
windows10-ltsc 2021-x64
8HWID Chang...er.exe
windows7-x64
8HWID Chang...ig.exe
windows7-x64
10HWID Chang...ig.exe
windows7-x64
10General
-
Target
HWID Changer by SILENQER.rar
-
Size
1.2MB
-
Sample
241123-wbtwzavqbj
-
MD5
9618195bdd5dec9818ecdca58f3fedfc
-
SHA1
3d27be6df4268a85fd11b81c3612f4b416e8528a
-
SHA256
078f237e95224e906f03b4920f9b42e82ce461f7ea86505eaa45f4de26aa4f65
-
SHA512
f3d6bd7f106a424aa70e28119a9bb9d775db18f295af8682ca4345e8078a8d06aa501b4c2c8276d73cd247d61b5c36d404c97c077795fbedeb6a5dd961668286
-
SSDEEP
24576:MejLlIfi99BFfJwJjNE8MoOGx4+RuV6wFmW5llN+LSi50B/m8:MIlOpq8MoJ14VBFm+MLcB/P
Static task
static1
Behavioral task
behavioral1
Sample
HWID Changer by SILENQER/HWID Changer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
HWID Changer by SILENQER/HWID Changer.exe
Resource
win7-20241010-en
Behavioral task
behavioral3
Sample
HWID Changer by SILENQER/compreg/Ionic.Zip.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
HWID Changer by SILENQER/compreg/Ionic.Zip.dll
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
HWID Changer by SILENQER/compreg/Launcher.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral6
Sample
HWID Changer by SILENQER/compreg/Launcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
HWID Changer by SILENQER/compreg/config.exe
Resource
win7-20240903-en
Malware Config
Extracted
limerat
-
aes_key
Remcos
-
antivm
false
-
c2_url
https://pastebin.com/raw/fBSseKkF
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/fBSseKkF
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
HWID Changer by SILENQER/HWID Changer.exe
-
Size
237KB
-
MD5
aee0ba7c69ab3449557a52ed4e6fe7db
-
SHA1
a9700d9644b4f88f9d8232096719f1428402c8b1
-
SHA256
2e93d89eefb4edf698d8f695c93efe3e797c01655af6194b5c0d566f37a365fd
-
SHA512
ed0af7dbb27d10e47661c6d6fcea0753fb423f012f47bc2ea6b11bb8fdfe699e1f2cf482248450553d5813c894460bca4de51e655c216e08a87ac805108bf8b5
-
SSDEEP
3072:r4llGPkV6jW+tKFh36Lv+GSBADfBZRBadxlv:r6lGsMrETGmALon
Score10/10-
Limerat family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
HWID Changer by SILENQER/compreg/Ionic.Zip.dll
-
Size
480KB
-
MD5
f6933bf7cee0fd6c80cdf207ff15a523
-
SHA1
039eeb1169e1defe387c7d4ca4021bce9d11786d
-
SHA256
17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
-
SHA512
88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
-
SSDEEP
6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score1/10 -
-
-
Target
HWID Changer by SILENQER/compreg/Launcher.exe
-
Size
53KB
-
MD5
c6d4c881112022eb30725978ecd7c6ec
-
SHA1
ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
-
SHA256
0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
-
SHA512
3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
-
SSDEEP
768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
HWID Changer by SILENQER/compreg/config.exe
-
Size
1.1MB
-
MD5
fa841009c24985df81baae7d44f3e3ee
-
SHA1
aebdcf268615a1de7f330bed68edd3a3a86e244e
-
SHA256
793601e28e74f3850b8ea2ae83f87d34ad6d469e2ff334b8987f414aab8577b4
-
SHA512
1d58d842d4572029aa2887a289edf19e8e33e2b5e3d387fcab4470535cd4cfb45b44d1f8bae8798ffd1a45e089510b52b9925402cb5648e5a10889705cfd41f9
-
SSDEEP
24576:eR+cl7X1BRnI6hmebbe1dEt8QR04TG8Ev4P0D6epjKXwzG3X8MHf3VDTXK:a+clb1BRntmeXKd9Q3G85sDzpOXoE8x
-
Limerat family
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1