limerat

General

Target

b1a6bd454f8e723bd8f1b856b336c844.exe
Size

13.4MB
Sample

220506-hts6hacafn
MD5

b1a6bd454f8e723bd8f1b856b336c844
SHA1

e50b78534ab2761b9f654333f81be3a60f736eb9
SHA256

d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
SHA512

2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80

Score

10^/10

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1234
antivm
true
c2_url
https://pastebin.com/raw/nFP8Nq0E
delay
3
download_payload
false
install
true
install_name
whitelistcheck.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
false

Targets

- Target
  
  b1a6bd454f8e723bd8f1b856b336c844.exe
- Size
  
  13.4MB
- MD5
  
  b1a6bd454f8e723bd8f1b856b336c844
- SHA1
  
  e50b78534ab2761b9f654333f81be3a60f736eb9
- SHA256
  
  d0fd88199448558df5b8c56936e822aea87f9149c23682004edbf36f28bfb78e
- SHA512
  
  2bff70684886914c8affa398dda0f801dc22d8f7d0a2a4f2578378f387744c6548779fd2065c7ddde3757d4c3786c40b6006aa1a371ea0b0c1a0ef425ecccd80
Score

10^/10

limerat xmrig discovery evasion exploit miner rat spyware stealer upx vmprotect
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies security service
  evasion
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- XMRig Miner Payload
  miner
- Drops file in Drivers directory
- Executes dropped EXE
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2