limerat | ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0 | Triage

Submit
Reports

Overview

overview

Static

static

ab7b41c231...d0.exe

windows7_x64

ab7b41c231...d0.exe

windows10-2004_x64

Sharing

General

Target

ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0
Size

845KB
Sample

220520-2shsxsahgq
MD5

c29b3a45fa82325fc62f03f2da1e2975
SHA1

2655cc45ccabc43db6791cd57080b1be3a84a775
SHA256

ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0
SHA512

5baaaef6460890762441cbad946031809f2754b8fea363ed0a90267cb0a026ffdb9d686d51cd96010c6d7d82b8f9e2755eff9903c61cb0bc79d04fdb90bbf6ae

Score

10^/10

limerat evasion rat

Static task

static1

Behavioral task

behavioral1

Sample

ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe

Resource

win7-20220414-en

limerat evasion rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0.exe

Resource

win10v2004-20220414-en

limerat evasion rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

limerat

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/RScXPXsx
delay
3
download_payload
false
install
false
install_name
Server.exe
main_folder
AppData
pin_spread
false
sub_folder
\Mail-Server\
usb_spread
false

Targets

- Target
  
  ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0
- Size
  
  845KB
- MD5
  
  c29b3a45fa82325fc62f03f2da1e2975
- SHA1
  
  2655cc45ccabc43db6791cd57080b1be3a84a775
- SHA256
  
  ab7b41c231ff2cfd4f9befca2ce8af7478848a956efbbbd534283e549580acd0
- SHA512
  
  5baaaef6460890762441cbad946031809f2754b8fea363ed0a90267cb0a026ffdb9d686d51cd96010c6d7d82b8f9e2755eff9903c61cb0bc79d04fdb90bbf6ae
Score

10^/10

limerat evasion rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

limeratevasionrat

behavioral2

limeratevasionrat

© 2018-2024

Terms | Privacy