Analysis
-
max time kernel
112s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
-
submitted
31/03/2025, 09:30
Errors
General
-
Target
PortFowarding.exe
-
Size
28KB
-
MD5
61b1dac027f18514a7a0cc6c2475528c
-
SHA1
6605992eb04bdaa3e6a5f94d5e4baf5b548ef548
-
SHA256
e76749d70a685f5f5456ce90f223404e2b7f143544426f17610a2b020b721886
-
SHA512
4007b1d52e4ffa2842a5490f5c564a8bc9e939c044cf1d6eee3295c87d9b1142057e366efb38de7d4c26af3bbf2090fbd701c2b40527187b3bb4b1b4b1435614
-
SSDEEP
768:lpYK/6Dfw9Fj+ZySZl45NWi6KQlkB6Uyj:lpofw94Z9y6i9QlkMR
Malware Config
Extracted
limerat
-
aes_key
emhook123321
-
antivm
false
-
c2_url
https://pastebin.com/raw/zVU0mnS4
-
delay
15
-
download_payload
false
-
install
true
-
install_name
svhost.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Sys\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/zVU0mnS4
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Signatures
-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Limerat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PortFowarding.exe"C:\Users\Admin\AppData\Local\Temp\PortFowarding.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Sys\svhost.exe'"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Sys\svhost.exe"C:\Users\Admin\AppData\Roaming\Sys\svhost.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Shutdown.exeShutdown /r /f /t 003⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3928055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD561b1dac027f18514a7a0cc6c2475528c
SHA16605992eb04bdaa3e6a5f94d5e4baf5b548ef548
SHA256e76749d70a685f5f5456ce90f223404e2b7f143544426f17610a2b020b721886
SHA5124007b1d52e4ffa2842a5490f5c564a8bc9e939c044cf1d6eee3295c87d9b1142057e366efb38de7d4c26af3bbf2090fbd701c2b40527187b3bb4b1b4b1435614
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
48KB