General
-
Target
ec78bffd668366762d3d8e235eb5dccfa4274dd6d7fbaa562f2f990607bdc0b0
-
Size
411KB
-
Sample
230129-1anqsadd49
-
MD5
02526e35a0e7661b56ac0dd4a131e1a0
-
SHA1
d0e69e20734bb5f40da5e7fa7aa6bc2ae4cfca9a
-
SHA256
ec78bffd668366762d3d8e235eb5dccfa4274dd6d7fbaa562f2f990607bdc0b0
-
SHA512
8a73707c4ee5325224d235f4de22b0cea3d5674210f74c0b8aad1a1bc9c8006da6f3e9181a7c1816ffe2f4351552c1a3c846efcdcff3c3413b0ce166311125fa
-
SSDEEP
6144:5P0PdMgZGW1kmxTrHJy+HhjG0NxO2hoQtGUZ4mb5jjsBI+jcO6x:N8uEkmnJH9VHO25FZ4G2Ksl6
Malware Config
Extracted
limerat
-
aes_key
K4L4M4rIK4L4M4rI18531337!!?
-
antivm
true
-
c2_url
https://pastebin.com/raw/iN0vMtL8
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
false
-
sub_folder
\
-
usb_spread
false
Targets
-
-
Target
ec78bffd668366762d3d8e235eb5dccfa4274dd6d7fbaa562f2f990607bdc0b0
-
Size
411KB
-
MD5
02526e35a0e7661b56ac0dd4a131e1a0
-
SHA1
d0e69e20734bb5f40da5e7fa7aa6bc2ae4cfca9a
-
SHA256
ec78bffd668366762d3d8e235eb5dccfa4274dd6d7fbaa562f2f990607bdc0b0
-
SHA512
8a73707c4ee5325224d235f4de22b0cea3d5674210f74c0b8aad1a1bc9c8006da6f3e9181a7c1816ffe2f4351552c1a3c846efcdcff3c3413b0ce166311125fa
-
SSDEEP
6144:5P0PdMgZGW1kmxTrHJy+HhjG0NxO2hoQtGUZ4mb5jjsBI+jcO6x:N8uEkmnJH9VHO25FZ4G2Ksl6
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-