limerat | f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4 | Triage

Sharing

General

Target

l1l1l.vbs
Size

129KB
Sample

230407-ss7mlshe76
MD5

c78f607c916f060d6ee3bf391e303acc
SHA1

1575998cda060d4a570ba258abc12044601da283
SHA256

f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4
SHA512

cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b
SSDEEP

3072:OrDpGzBAtEbR1OsJlTtSjtH4UX9YWZiBh+exdMjd62dT:0

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
33
download_payload
false
install
false
install_name
dual.exe
main_folder
AppData
pin_spread
false
sub_folder
\DualCore\
usb_spread
true

Targets

- Target
  
  l1l1l.vbs
- Size
  
  129KB
- MD5
  
  c78f607c916f060d6ee3bf391e303acc
- SHA1
  
  1575998cda060d4a570ba258abc12044601da283
- SHA256
  
  f1e57d1714f74c6939ee24bb348fa12e925ec7eb380d5a7d0f1d230effb742f4
- SHA512
  
  cf26b8b381402622df420fa3881630661d08d76660d01be2d695af8ade568a6f5e3b365e4b17bffee5589d936eeaad3f7ebf413f4a2d810d976b66511548875b
- SSDEEP
  
  3072:OrDpGzBAtEbR1OsJlTtSjtH4UX9YWZiBh+exdMjd62dT:0
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2