limerat | 1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b | Triage

Sharing

General

Target

1612E6BB0CCE702554B3DB27BF98C140772BC85DF30D2.exe
Size

1.5MB
Sample

230902-rsxlzadg72
MD5

4c6675bcb4996241e68fd4ac2fad45c2
SHA1

e62124ae24bc980199900e5a7c392191882118cc
SHA256

1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
SHA512

bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
SSDEEP

24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  1612E6BB0CCE702554B3DB27BF98C140772BC85DF30D2.exe
- Size
  
  1.5MB
- MD5
  
  4c6675bcb4996241e68fd4ac2fad45c2
- SHA1
  
  e62124ae24bc980199900e5a7c392191882118cc
- SHA256
  
  1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
- SHA512
  
  bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
- SSDEEP
  
  24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9
Score

10^/10

limerat persistence rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratpersistencerat

behavioral2

limeratpersistencerat