limerat | 7eabfd11071c795239758dbe44aa1311e89db5f1bd488fb3133757eba8842e16 | Triage

Sharing

General

Target

7eabfd11071c795239758dbe44aa1311e89db5f1bd488fb3133757eba8842e16
Size

79KB
Sample

230129-x5v7kacc5z
MD5

771a90e168eb38cf7b43ae841759a68f
SHA1

67ea99261e3fad89dce8771c8f9ed4e3c6f9d35a
SHA256

7eabfd11071c795239758dbe44aa1311e89db5f1bd488fb3133757eba8842e16
SHA512

98a4663f05be6f56ece305da44d2a8df3d5d17b72d1b85489b13c81745c5c16c711d3e3a68d5c76b5b7a32f9ada3df85ac43bd2df87ea801c395d0dc7a041100
SSDEEP

1536:S5CmrfW0509dVoxdVps8KQ+lu9TbdbfRA:DD3uxMl4TbdbfRA

Score

10^/10

limerat evasion persistence rat trojan

Malware Config

Extracted

Family

limerat

Wallets

1PwPgp5XGS4VapRjQM1XijgAs2psFeZVGM

Attributes

aes_key
#C^7M3ha6&%678n3VRZet)-D*;zH8Hxa
antivm
true
c2_url
https://pastebin.com/raw/6mZktVr5
delay
51
download_payload
false
install
true
install_name
Windows Update Assistant.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Microsoft\
usb_spread
true

Targets

- Target
  
  7eabfd11071c795239758dbe44aa1311e89db5f1bd488fb3133757eba8842e16
- Size
  
  79KB
- MD5
  
  771a90e168eb38cf7b43ae841759a68f
- SHA1
  
  67ea99261e3fad89dce8771c8f9ed4e3c6f9d35a
- SHA256
  
  7eabfd11071c795239758dbe44aa1311e89db5f1bd488fb3133757eba8842e16
- SHA512
  
  98a4663f05be6f56ece305da44d2a8df3d5d17b72d1b85489b13c81745c5c16c711d3e3a68d5c76b5b7a32f9ada3df85ac43bd2df87ea801c395d0dc7a041100
- SSDEEP
  
  1536:S5CmrfW0509dVoxdVps8KQ+lu9TbdbfRA:DD3uxMl4TbdbfRA
Score

10^/10

limerat evasion persistence rat trojan
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratevasionpersistencerattrojan

behavioral2

limeratevasionpersistencerattrojan