limerat | 56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9 | Triage

Sharing

General

Target

56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
Size

108KB
Sample

220917-tx63baaad6
MD5

018f06156f16a08a4689179458972941
SHA1

7215c5f8a21e715d932908aa4c640333afac5f1c
SHA256

56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
SHA512

88e1b4c09311d58098815fd41e5c08f43b8884b1e5c659110c0cbb052df550abafb0cf24526c903e7fd9ca7c0a2abe19fdaf116c06d92a0ef41a0e8db2955fd5
SSDEEP

3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
beodz
antivm
false
c2_url
https://pastebin.com/raw/nEZ87Pwx
delay
3
download_payload
false
install
true
install_name
svchost.exe
main_folder
AppData
pin_spread
true
sub_folder
\MicrosoftData\
usb_spread
false

Targets

- Target
  
  56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
- Size
  
  108KB
- MD5
  
  018f06156f16a08a4689179458972941
- SHA1
  
  7215c5f8a21e715d932908aa4c640333afac5f1c
- SHA256
  
  56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
- SHA512
  
  88e1b4c09311d58098815fd41e5c08f43b8884b1e5c659110c0cbb052df550abafb0cf24526c903e7fd9ca7c0a2abe19fdaf116c06d92a0ef41a0e8db2955fd5
- SSDEEP
  
  3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM
Score

10^/10

limerat persistence rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Scripting

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratpersistencerat

behavioral2

limeratpersistencerat