limerat | 3fcc4f194e7bc1b894cacb0c09642b9827c9f11ab43180ffcc36ce5c8401bf41 | Triage

Sharing

General

Target

3fcc4f194e7bc1b894cacb0c09642b9827c9f11ab43180ffcc36ce5c8401bf41
Size

77KB
Sample

230129-x5y88aah23
MD5

0badb1a758031e5ee6aca7e01e551005
SHA1

3b2094e19a8958d16ddd1914c51b55cc1ef46de7
SHA256

3fcc4f194e7bc1b894cacb0c09642b9827c9f11ab43180ffcc36ce5c8401bf41
SHA512

a75b7fb8a78704796ad8af2df84a8f9e61fc14255621fe3ac9d4a7364a966362b7a19086eb3502dedb62969bf188475c181e7e99226d34e87f1cceb40e756077
SSDEEP

1536:4FiOpOK7McctSDnAeVB919Z97CXrRkvXE+QQ4k6P8t5W:eZX/eKnLrZXvXE+QQ4k6P8t5W

Score

10^/10

limerat evasion persistence rat trojan

Malware Config

Extracted

Family

limerat

Wallets

1PwPgp5XGS4VapRjQM1XijgAs2psFeZVGM

Attributes

aes_key
#C^7M3ha6&%678n3VRZet)-D*;zH8Hxa
antivm
false
c2_url
https://pastebin.com/raw/6mZktVr5
delay
35
download_payload
false
install
false
install_name
Windows Update Assistant.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Microsoft\
usb_spread
true

Targets

- Target
  
  3fcc4f194e7bc1b894cacb0c09642b9827c9f11ab43180ffcc36ce5c8401bf41
- Size
  
  77KB
- MD5
  
  0badb1a758031e5ee6aca7e01e551005
- SHA1
  
  3b2094e19a8958d16ddd1914c51b55cc1ef46de7
- SHA256
  
  3fcc4f194e7bc1b894cacb0c09642b9827c9f11ab43180ffcc36ce5c8401bf41
- SHA512
  
  a75b7fb8a78704796ad8af2df84a8f9e61fc14255621fe3ac9d4a7364a966362b7a19086eb3502dedb62969bf188475c181e7e99226d34e87f1cceb40e756077
- SSDEEP
  
  1536:4FiOpOK7McctSDnAeVB919Z97CXrRkvXE+QQ4k6P8t5W:eZX/eKnLrZXvXE+QQ4k6P8t5W
Score

10^/10

limerat evasion persistence rat trojan
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Web Service

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratevasionpersistencerattrojan

behavioral2

limeratevasionpersistencerattrojan