limerat | 328c830f50d6a124333a32e574411df789afd2581956098c08500c528034697f

General

Target

Payment Copy.js
Size

736KB
MD5

d3c5964e49a3af7aa3e861b7e9f194b1
SHA1

afe5b5a7bc4353603b6959c3e556261896355ca1
SHA256

328c830f50d6a124333a32e574411df789afd2581956098c08500c528034697f
SHA512

dde692e8788543d570c394541362fe9d47d46749c7f97b9b95e6a9508db5bc4b591d4f2c31b25445b375067266b75662bce29e4c2638671da5bf54f960cb484d

Score

10^/10

limerat ratty rat trojan

Malware Config

Extracted

Family

limerat

Wallets

1Cs8MjxkXtYwkDKypg8i1Vj5nzhANpgC6y

Attributes

aes_key
2249
antivm
false
c2_url
https://pastebin.com/raw/G9wX4J5m
delay
8
download_payload
false
install
true
install_name
player.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00040000000130e2-65.dat	family_ratty

Executes dropped EXE 2 IoCs

pid	Process
1716	New-Client.exe
1456	player.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	New-Client.exe
1716	New-Client.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
612	1796	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
612	WerFault.exe
612	WerFault.exe
612	WerFault.exe
612	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
612	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	612	WerFault.exe
Token: SeDebugPrivilege	1456	player.exe
Token: SeDebugPrivilege	1456	player.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1972	1668	wscript.exe	26
PID 1668 wrote to memory of 1972	1668	wscript.exe	26
PID 1668 wrote to memory of 1972	1668	wscript.exe	26
PID 1668 wrote to memory of 1796	1668	wscript.exe	27
PID 1668 wrote to memory of 1796	1668	wscript.exe	27
PID 1668 wrote to memory of 1796	1668	wscript.exe	27
PID 1972 wrote to memory of 1716	1972	wscript.exe	28
PID 1972 wrote to memory of 1716	1972	wscript.exe	28
PID 1972 wrote to memory of 1716	1972	wscript.exe	28
PID 1972 wrote to memory of 1716	1972	wscript.exe	28
PID 1796 wrote to memory of 612	1796	javaw.exe	29
PID 1796 wrote to memory of 612	1796	javaw.exe	29
PID 1796 wrote to memory of 612	1796	javaw.exe	29
PID 1716 wrote to memory of 1308	1716	New-Client.exe	34
PID 1716 wrote to memory of 1308	1716	New-Client.exe	34
PID 1716 wrote to memory of 1308	1716	New-Client.exe	34
PID 1716 wrote to memory of 1308	1716	New-Client.exe	34
PID 1716 wrote to memory of 1456	1716	New-Client.exe	36
PID 1716 wrote to memory of 1456	1716	New-Client.exe	36
PID 1716 wrote to memory of 1456	1716	New-Client.exe	36
PID 1716 wrote to memory of 1456	1716	New-Client.exe	36

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Payment Copy.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\AsySxQTQmK.js"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Roaming\New-Client.exe
    "C:\Users\Admin\AppData\Roaming\New-Client.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\player.exe'"
      4⤵
      Creates scheduled task(s)
      PID:1308
  - - C:\Users\Admin\AppData\Roaming\player.exe
      "C:\Users\Admin\AppData\Roaming\player.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1456
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\VrxxiCZBXd.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1796 -s 140
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-73-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/1456-81-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1668-59-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/1716-72-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1716-69-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads