General
-
Target
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc
-
Size
330KB
-
Sample
221130-wh19mafa6w
-
MD5
88157978da35d52fee44f25b3610aa60
-
SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7
-
SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc
-
SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2
-
SSDEEP
6144:zK8lUvarEuKLH321cUx5zugbguHzYOi2Deq1qR1:zDEzSnbbg6l11q
Malware Config
Extracted
limerat
-
aes_key
IRj3SceatjDfweW/qMMw7g==
-
antivm
true
-
c2_url
https://pastebin.com/raw/p8Be8nNX
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Update.exe
-
main_folder
UserProfile
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Targets
-
-
Target
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc
-
Size
330KB
-
MD5
88157978da35d52fee44f25b3610aa60
-
SHA1
d67d981b38b82002f2f9e9e45c5c489368e8cda7
-
SHA256
64f96c98b66e34531a11f0ceba67916b5207cc0f7dbcda256c6ee3d9c5f528cc
-
SHA512
4a6bf3ecf6763d569fc26c8cae61b38c07f27594954cb2448ade77aa7ae584fc7ae118463d14826cffd2ec4d5ecd77fd04861b5ed98a77f752357cb9860c29b2
-
SSDEEP
6144:zK8lUvarEuKLH321cUx5zugbguHzYOi2Deq1qR1:zDEzSnbbg6l11q
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-