limerat | 7965609f1fe078275c2f8316d3fff1d25393e096f9abd1952928a53fc2ea2c9e | Triage

Sharing

General

Target

7965609f1fe078275c2f8316d3fff1d25393e096f9abd1952928a53fc2ea2c9e
Size

2.4MB
Sample

220731-kst3hsaabl
MD5

d62772aab4ce2a4301fb122de9155e61
SHA1

aaa45a516e7fa85e472a97dc4d6d1dda092850f6
SHA256

7965609f1fe078275c2f8316d3fff1d25393e096f9abd1952928a53fc2ea2c9e
SHA512

7cd9ed6071030faa0a26194177349c97a9f06bedb3ffb59a2f999127bf4f7c1e68c8a3ec4b19bf25aedccecdfea9ccc4956009d43738fb3ee963615285fd9b91

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1205
antivm
false
c2_url
https://pastebin.com/raw/iRjhpqQL
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Targets

- Target
  
  7965609f1fe078275c2f8316d3fff1d25393e096f9abd1952928a53fc2ea2c9e
- Size
  
  2.4MB
- MD5
  
  d62772aab4ce2a4301fb122de9155e61
- SHA1
  
  aaa45a516e7fa85e472a97dc4d6d1dda092850f6
- SHA256
  
  7965609f1fe078275c2f8316d3fff1d25393e096f9abd1952928a53fc2ea2c9e
- SHA512
  
  7cd9ed6071030faa0a26194177349c97a9f06bedb3ffb59a2f999127bf4f7c1e68c8a3ec4b19bf25aedccecdfea9ccc4956009d43738fb3ee963615285fd9b91
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2