limerat | 18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3

General

Target

New-Client.exe
Size

28KB
MD5

42dd04b2c91e0b8c4b6c676c0bf067bc
SHA1

8fb5c885299eb1fb4c93e76cc7172058a347c48b
SHA256

18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3
SHA512

24cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e
SSDEEP

384:GB+Sbj6NKsHU637AHteXnmqDvDj63XjUQvDKNrCeJE3WNgtTKNnqgqoXiuQro3li:8ps0637wtexv6nQe45NDNnhqVUIj

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
ponontop
antivm
false
c2_url
https://pastebin.com/raw/U06jyvTy
delay
3
download_payload
false
install
true
install_name
sus.exe
main_folder
AppData
pin_spread
true
sub_folder
\sus\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/U06jyvTy
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Executes dropped EXE 1 IoCs

pid	Process
2808	sus.exe

Loads dropped DLL 2 IoCs

pid	Process
1616	New-Client.exe
1616	New-Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New-Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sus.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2752	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe
2808	sus.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	sus.exe
Token: SeDebugPrivilege	2808	sus.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2752	1616	New-Client.exe	32
PID 1616 wrote to memory of 2752	1616	New-Client.exe	32
PID 1616 wrote to memory of 2752	1616	New-Client.exe	32
PID 1616 wrote to memory of 2752	1616	New-Client.exe	32
PID 1616 wrote to memory of 2808	1616	New-Client.exe	34
PID 1616 wrote to memory of 2808	1616	New-Client.exe	34
PID 1616 wrote to memory of 2808	1616	New-Client.exe	34
PID 1616 wrote to memory of 2808	1616	New-Client.exe	34

C:\Users\Admin\AppData\Local\Temp\New-Client.exe
"C:\Users\Admin\AppData\Local\Temp\New-Client.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\sus\sus.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2752
- C:\Users\Admin\AppData\Roaming\sus\sus.exe
  "C:\Users\Admin\AppData\Roaming\sus\sus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\sus\sus.exe

Filesize
28KB

MD5
42dd04b2c91e0b8c4b6c676c0bf067bc

SHA1
8fb5c885299eb1fb4c93e76cc7172058a347c48b

SHA256
18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3

SHA512
24cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e

Download Submit
memory/1616-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

Filesize
4KB

Download
memory/1616-1-0x0000000000D40000-0x0000000000D4C000-memory.dmp

Filesize
48KB

Download
memory/1616-13-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-12-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2808-14-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-15-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-16-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-17-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads