Interesting LIME RAT/Keylogger Sample
Found an ISO file that executes VBS > MSHTA (downloaded from cdn.discord[.]com) then launching powershell. The Powershell script contains 2 Windows PE files (1 Base64 encoded, the other Base10 charcode). Sample: https://app.any.run/tasks/5032cab3-c41d-4f04-a1a7-930ca0ee0b09 Hash:d4cc124021b66445b5a8d1203d36e899 Next part of execution: https://app.any.run/tasks/73584f72-ddba-46e0-9661-5351186c659d Hash: a1987242a319ad25836ba3c211a13ba7 The executed powershell script encodings are decoded in the following images: The Base64 executable (Google Chrome.dll) is found here: https://www.virustotal.com/gui/file/4071e1852e9b0dea859d73b1736df451466a197c31e6f81dc590cc37b270b92f/detection The Charcode executable (1118.exe) Lime Keylogger is found here: https://www.virustotal.com/gui/file/c6fc9e3efaa2ee2f9c8cfca1154904819176a5e16e5341f88ec424bb727ca63b/detection The 1118.exe executable C2 is top[.]killwhenabusing1[.]xyz Honestly, not too much at this point surprised me, however,...