File name:

e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe

Full analysis: https://app.any.run/tasks/f9e800f9-7520-4246-b9dd-de28f64c8267
Verdict: Malicious activity
Threats:

LimeRAT is Remote Administration Trojan malware that boasts an array of harmful capabilities. While masquerading as a legitimate tool, it can perform malicious operations like encryption, keylogging, and cryptomining, which makes it appealing to cybercriminals

Malware Trends Tracker     >>>
Analysis date: October 06, 2024, 11:27:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
limerat
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

259572CEADA05B5940A3D81727E1BBB9

SHA1:

E2306DBBE659272BF699668ED266CD402E4D0D31

SHA256:

E513EB020887DD56E85E55803B1AFCCB24AE116380947993DA2E88A71E97BE14

SSDEEP:

6144:P0Te7CfPjkjg1NmAG8QjxNGernwbSSdYtLNtlmYQM3Yx29GFUHuAldHSGggQ1IRw:sTZfPwc1NmAG8QNEeMGSd6ZtltQjvI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • LIMERAT has been detected (YARA)

      • document autorisation.exe (PID: 3508)

    • LimeRAT is detected

      • document autorisation.exe (PID: 3508)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • Reads security settings of Internet Explorer

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • Starts itself from another location

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

  • INFO

    • Checks supported languages

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)
      • document autorisation.exe (PID: 3508)

    • Reads the machine GUID from the registry

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)
      • document autorisation.exe (PID: 3508)

    • The process uses the downloaded file

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • Create files in a temporary directory

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • Reads the computer name

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)
      • document autorisation.exe (PID: 3508)

    • Process checks computer location settings

      • e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe (PID: 6524)

    • Disables trace logs

      • document autorisation.exe (PID: 3508)

    • Checks proxy server information

      • document autorisation.exe (PID: 3508)

    • Reads the software policy settings

      • document autorisation.exe (PID: 3508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

LimeRAT

(PID) Process(3508) document autorisation.exe
C2https://pastebin.com/raw/YRNWGBMr
Keys
AESNadaNasser@1212
Options
EndOfConfigChar|'N'|
SplitDataConfigChar|'L'|
ClientDropNamedocument autorisation.exe
UsbSpreadTrue
PinSpreadTrue
AntiVMTrue
DropFileTrue
MainFolderTemp
SubFolder\folder\
BtcAddress15o2GcScWkMTUHBbLS2pdvaYbEAs46pEuu
DownloadCheckFalse
DownloadLink
Delay3
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (62)
.exe | Win64 Executable (generic) (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.5)
.exe | Win32 Executable (generic) (3.8)
.exe | Win16/32 Executable Delphi generic (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:23 19:29:41+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 28160
InitializedDataSize: 344064
UninitializedDataSize: -
EntryPoint: 0x8d1e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe #LIMERAT document autorisation.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3508"C:\Users\admin\AppData\Local\Temp\folder\document autorisation.exe" C:\Users\admin\AppData\Local\Temp\folder\document autorisation.exe
e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\folder\document autorisation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
LimeRAT
(PID) Process(3508) document autorisation.exe
C2https://pastebin.com/raw/YRNWGBMr
Keys
AESNadaNasser@1212
Options
EndOfConfigChar|'N'|
SplitDataConfigChar|'L'|
ClientDropNamedocument autorisation.exe
UsbSpreadTrue
PinSpreadTrue
AntiVMTrue
DropFileTrue
MainFolderTemp
SubFolder\folder\
BtcAddress15o2GcScWkMTUHBbLS2pdvaYbEAs46pEuu
DownloadCheckFalse
DownloadLink
Delay3
6524"C:\Users\admin\Desktop\e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe" C:\Users\admin\Desktop\e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 721
Read events
4 703
Write events
18
Delete events
0

Modification events

(PID) Process:(6524) e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:document autorisation.exe
Value:
C:\Users\admin\AppData\Local\Temp\folder\document autorisation.exe
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3508) document autorisation.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\document autorisation_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6524e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exeC:\Users\admin\AppData\Local\Temp\folder\document autorisation.exeexecutable
MD5:259572CEADA05B5940A3D81727E1BBB9
SHA256:E513EB020887DD56E85E55803B1AFCCB24AE116380947993DA2E88A71E97BE14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
26
DNS requests
27
Threats
73

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5212
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
GET
200
172.67.19.24:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
104.20.3.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
104.20.3.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
104.20.4.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
172.67.19.24:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
104.20.3.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
104.20.4.235:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
GET
200
172.67.19.24:443
https://pastebin.com/raw/YRNWGBMr
unknown
text
25 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5212
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
5212
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5212
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3508
document autorisation.exe
104.20.3.235:443
pastebin.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
pastebin.com
  • 104.20.3.235
  • 172.67.19.24
  • 104.20.4.235
malicious
rachidlevet.ddns.net
malicious

Threats

PID
Process
Class
Message
2256
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
2256
svchost.exe
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
50 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14.exe