File name:

New-Clie.exe

Full analysis: https://app.any.run/tasks/8e4aedfb-87b9-4e9d-a089-aad017ba4c89
Verdict: Malicious activity
Threats:

LimeRAT is Remote Administration Trojan malware that boasts an array of harmful capabilities. While masquerading as a legitimate tool, it can perform malicious operations like encryption, keylogging, and cryptomining, which makes it appealing to cybercriminals

Malware Trends Tracker     >>>
Analysis date: March 22, 2024, 21:13:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
limerat
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

066B07B3C9743D0FCC65591610203BC6

SHA1:

EA81F83EC781F6E140A28C61AB94CD44A99D81DD

SHA256:

17A789DB6468ED747ED1A4434D6B94A4BB798791BFE01A8A9816B3FE98469B79

SSDEEP:

768:4nq8yS2Lqqt2lRvf90ed3Xbe45NNQALh5fn70s:Yq9Lq7vf90ed3Xb/j95f7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • New-Clie.exe (PID: 1836)

    • Changes the autorun value in the registry

      • New-Clie.exe (PID: 1836)

    • LIMERAT has been detected (YARA)

      • Wservices.exe (PID: 3488)

    • LimeRAT is detected

      • Wservices.exe (PID: 3488)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • New-Clie.exe (PID: 1836)

    • The process creates files with name similar to system file names

      • New-Clie.exe (PID: 1836)

    • Reads security settings of Internet Explorer

      • New-Clie.exe (PID: 1836)

    • Reads the Internet Settings

      • New-Clie.exe (PID: 1836)
      • Wservices.exe (PID: 3488)

    • Starts itself from another location

      • New-Clie.exe (PID: 1836)

    • Reads settings of System Certificates

      • Wservices.exe (PID: 3488)

  • INFO

    • Reads the computer name

      • New-Clie.exe (PID: 1836)
      • Wservices.exe (PID: 3488)

    • Checks supported languages

      • New-Clie.exe (PID: 1836)
      • Wservices.exe (PID: 3488)

    • Reads the machine GUID from the registry

      • New-Clie.exe (PID: 1836)
      • Wservices.exe (PID: 3488)

    • Create files in a temporary directory

      • New-Clie.exe (PID: 1836)

    • Reads Environment values

      • Wservices.exe (PID: 3488)

    • Reads the software policy settings

      • Wservices.exe (PID: 3488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LimeRAT

(PID) Process(3488) Wservices.exe
C2https://pastebin.com/raw/DDTVwwbu
Keys
AES1111
Options
EndOfConfigChar|'N'|
SplitDataConfigChar|'L'|
ClientDropNameWservices.exe
UsbSpreadTrue
PinSpreadFalse
AntiVMTrue
DropFileTrue
MainFolderTemp
SubFolder\
BtcAddress
DownloadCheckFalse
DownloadLink
Delay3
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (55.8)
.exe | Win64 Executable (generic) (21)
.scr | Windows screen saver (9.9)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:22 21:12:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 28160
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0x8cde
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start new-clie.exe #LIMERAT wservices.exe

Process information

PID
CMD
Path
Indicators
Parent process
1836"C:\Users\admin\AppData\Local\Temp\New-Clie.exe" C:\Users\admin\AppData\Local\Temp\New-Clie.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\new-clie.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3488"C:\Users\admin\AppData\Local\Temp\Wservices.exe" C:\Users\admin\AppData\Local\Temp\Wservices.exe
New-Clie.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\wservices.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
LimeRAT
(PID) Process(3488) Wservices.exe
C2https://pastebin.com/raw/DDTVwwbu
Keys
AES1111
Options
EndOfConfigChar|'N'|
SplitDataConfigChar|'L'|
ClientDropNameWservices.exe
UsbSpreadTrue
PinSpreadFalse
AntiVMTrue
DropFileTrue
MainFolderTemp
SubFolder\
BtcAddress
DownloadCheckFalse
DownloadLink
Delay3
Total events
6 666
Read events
6 610
Write events
44
Delete events
12

Modification events

(PID) Process:(1836) New-Clie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Wservices.exe
Value:
C:\Users\admin\AppData\Local\Temp\Wservices.exe
(PID) Process:(1836) New-Clie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1836) New-Clie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1836) New-Clie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1836) New-Clie.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3488) Wservices.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wservices_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3488) Wservices.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wservices_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3488) Wservices.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wservices_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3488) Wservices.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wservices_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3488) Wservices.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Wservices_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1836New-Clie.exeC:\Users\admin\AppData\Local\Temp\Wservices.exeexecutable
MD5:066B07B3C9743D0FCC65591610203BC6
SHA256:17A789DB6468ED747ED1A4434D6B94A4BB798791BFE01A8A9816B3FE98469B79
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
3488
Wservices.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
New-Clie.exe