General
-
Target
5456e3d82f4f3ce27dec6cac9cd4794fb524ba42e4037a735032c24f8834df6b
-
Size
240KB
-
Sample
221125-lwdelsce7y
-
MD5
eac5ebfd214de0cf3a5459b647a7b2d5
-
SHA1
52f62f6d725049d191f453328cdae3f1f7334ee6
-
SHA256
5456e3d82f4f3ce27dec6cac9cd4794fb524ba42e4037a735032c24f8834df6b
-
SHA512
3e2978f6df4b3f0251dee2a7e9939fce2344e0af1c02810c7fcd1d31b5484fd2b2dd7203eef87ab8d2f2d8e55a9d9549252c256680c17f866f0f5af7c12f602e
-
SSDEEP
3072:Ou9DMR90Afc/Fnzwm/I/1WNWnhXEi2/oLaiTnYL83ejgu3nypr/7RBk4adLCorxt:VW9lfKzGSJiDPAF1ERO7Lk
Malware Config
Extracted
limerat
-
aes_key
IRj3SceatjDfweW/qMMw7g==
-
antivm
true
-
c2_url
https://pastebin.com/raw/p8Be8nNX
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Update.exe
-
main_folder
UserProfile
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Targets
-
-
Target
5456e3d82f4f3ce27dec6cac9cd4794fb524ba42e4037a735032c24f8834df6b
-
Size
240KB
-
MD5
eac5ebfd214de0cf3a5459b647a7b2d5
-
SHA1
52f62f6d725049d191f453328cdae3f1f7334ee6
-
SHA256
5456e3d82f4f3ce27dec6cac9cd4794fb524ba42e4037a735032c24f8834df6b
-
SHA512
3e2978f6df4b3f0251dee2a7e9939fce2344e0af1c02810c7fcd1d31b5484fd2b2dd7203eef87ab8d2f2d8e55a9d9549252c256680c17f866f0f5af7c12f602e
-
SSDEEP
3072:Ou9DMR90Afc/Fnzwm/I/1WNWnhXEi2/oLaiTnYL83ejgu3nypr/7RBk4adLCorxt:VW9lfKzGSJiDPAF1ERO7Lk
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-