limerat | 85fe23e69a61e733ce1070b20506ca9b48de1cd942e1a84b63022f78b86f50f1 | Triage

Submit
Reports

Overview

overview

Static

static

XEPHERSCRI...ER.bat

windows10-1703-x64

Sharing

General

Target

XEPHERSCRIPT_AUTO UPDATER.bat
Size

5KB
Sample

230121-2h8llaga81
MD5

ef31796ce9eca35e3bdf8035761489f0
SHA1

8852224c5908797ab2903b0e24e44f89d7ecffb0
SHA256

85fe23e69a61e733ce1070b20506ca9b48de1cd942e1a84b63022f78b86f50f1
SHA512

0465abdf9dd5f4f1f479c34e7189037bad71f3be3de0bdd08ea73b0f35ee4071da60508dba9e7258083ae063bf8166c06c8591362311c53e3c2a6f3ab1fcd30d
SSDEEP

48:F2UGGmJ85J3ACH6l4wZgZASj66ZWSFCZCZvfHN+0gnpr2KWrHN+0Or0CZwlWZwZW:F2UJAWRGWxUGWKz4fRwdIlx

Score

10^/10

limerat evasion rat

Static task

static1

Behavioral task

behavioral1

Sample

XEPHERSCRIPT_AUTO UPDATER.bat

Resource

win10-20220812-en

limerat evasion rat

windows10-1703-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

limerat

Attributes

aes_key
$13377331$
antivm
true
c2_url
https://pastebin.com/raw/kpr8P98b
delay
20
download_payload
false
install
true
install_name
Microsoft Edge.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Microsoft\Edge\Application\Microsoft Edge\
usb_spread
false

Targets

- Target
  
  XEPHERSCRIPT_AUTO UPDATER.bat
- Size
  
  5KB
- MD5
  
  ef31796ce9eca35e3bdf8035761489f0
- SHA1
  
  8852224c5908797ab2903b0e24e44f89d7ecffb0
- SHA256
  
  85fe23e69a61e733ce1070b20506ca9b48de1cd942e1a84b63022f78b86f50f1
- SHA512
  
  0465abdf9dd5f4f1f479c34e7189037bad71f3be3de0bdd08ea73b0f35ee4071da60508dba9e7258083ae063bf8166c06c8591362311c53e3c2a6f3ab1fcd30d
- SSDEEP
  
  48:F2UGGmJ85J3ACH6l4wZgZASj66ZWSFCZCZvfHN+0gnpr2KWrHN+0Or0CZwlWZwZW:F2UJAWRGWxUGWKz4fRwdIlx
Score

10^/10

limerat evasion rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies security service
  evasion
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Stops running service(s)
  evasion
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

limeratevasionrat

© 2018-2025

Terms | Privacy