Overview

overview

10

Static

static

10

CandyDDose...se.exe

windows7-x64

10

CandyDDose...se.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-01-2025 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CandyDDoser-15.4.1-relase.exe

  • Size

    48KB

  • MD5

    a6afa66b8e30978a4332ce1eccfea5d4

  • SHA1

    6c1cd4bd94511bfd5a9077647f7997c199bafaf5

  • SHA256

    a6927bd04276913b77a3a3d34ed38b8e6f8d2e94c8aacb0a7c5e8f8e3510bb3e

  • SHA512

    5851a1359ad23d851d59a28f3fda93a6bb25daf5dfc1c2c7f6a2f71f9a12bfe62c7420f94aa33fa298a02e0c2e4b3c37e5732fab9a48352a81f2bb9a98d444fe

  • SSDEEP

    768:KpgO6PTwdAxZdEayM45NtP0/JCGjDYSvsMMq6n81i9UL5HdwYw:KpATwdM6LxBwHfYNMMq62i9EH

Score
10/10
limeratdiscoveryrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    ewewasdgh

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/hj9UaNnk

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    CandyDDoser-15.4.1-relase.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \VoiceMod\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/hj9UaNnk

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Signatures

  • LimeRAT

    Simple yet powerful RAT for Windows machines written in .NET.

    ratlimerat
  • Limerat family
    limerat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 47 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CandyDDoser-15.4.1-relase.exe
    "C:\Users\Admin\AppData\Local\Temp\CandyDDoser-15.4.1-relase.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5028
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\VoiceMod\CandyDDoser-15.4.1-relase.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1432
    • C:\Users\Admin\AppData\Roaming\VoiceMod\CandyDDoser-15.4.1-relase.exe
      "C:\Users\Admin\AppData\Roaming\VoiceMod\CandyDDoser-15.4.1-relase.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CandyDDoser-15.4.1-relase.exe.log
    Filesize

    709B

    MD5

    8a1197be130e48aa5aeeafd43eb6bb9f

    SHA1

    cb790c7c216e41524348eaa0e5b74926e78dbfc6

    SHA256

    547474087ec8f71dfd32b76f9b74c86f9844addf5082df37562a2c2c0cae4bfb

    SHA512

    4ad9d8dbbc253c8d7b1c2b4ec5f115c770f02bdbbc21ca0b422e251a3a98331e169c5062cabf7da81d5ae0d295b3778ef105ef82709df1a4ace71be288b8f166

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VoiceMod\CandyDDoser-15.4.1-relase.exe
    Filesize

    48KB

    MD5

    a6afa66b8e30978a4332ce1eccfea5d4

    SHA1

    6c1cd4bd94511bfd5a9077647f7997c199bafaf5

    SHA256

    a6927bd04276913b77a3a3d34ed38b8e6f8d2e94c8aacb0a7c5e8f8e3510bb3e

    SHA512

    5851a1359ad23d851d59a28f3fda93a6bb25daf5dfc1c2c7f6a2f71f9a12bfe62c7420f94aa33fa298a02e0c2e4b3c37e5732fab9a48352a81f2bb9a98d444fe

    Download Submit

  • memory/4664-20-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-19-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-18-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4664-17-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-3-0x00000000056A0000-0x0000000005706000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5028-5-0x00000000062D0000-0x0000000006874000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5028-4-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-16-0x0000000075290000-0x0000000075A40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5028-0-0x000000007529E000-0x000000007529F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5028-2-0x0000000005600000-0x000000000569C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5028-1-0x0000000000C60000-0x0000000000C72000-memory.dmp

    Filesize

    72KB

    Download