limerat | 65915e4af98643aee18a6236f90c26e672484caa47a7a7ee6a62b9071a41632e | Triage

Sharing

General

Target

4c6675bcb4996241e68fd4ac2fad45c2.bin
Size

1.4MB
Sample

230904-bqwznadc74
MD5

1d499f78e523198d78060f10ea34ffed
SHA1

4fe599c5edc067bbb8c5b72dcc0b3b935e8aef96
SHA256

65915e4af98643aee18a6236f90c26e672484caa47a7a7ee6a62b9071a41632e
SHA512

4da4df863fcceacea42ab91797cbaf43589e4a80597297e28037fd3c38be47c685224a19863f3204bb92f9e260bdfba9d9c08fdbcd5f468a3e7e85ea3001a69b
SSDEEP

24576:Q/jaCgCSgOHEjE8vq7lkRyICXlqZrc2u+05wZjTdEnsrxVdTibBBCe9nAw4zsCUZ:QagJ5vmk81Xlqlm+JZj5EsrxVdTiFBCw

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Wallets

1B5aLZh6psoQttLGn9tpbdibiWqzyh4Jfv

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b.exe
- Size
  
  1.5MB
- MD5
  
  4c6675bcb4996241e68fd4ac2fad45c2
- SHA1
  
  e62124ae24bc980199900e5a7c392191882118cc
- SHA256
  
  1612e6bb0cce702554b3db27bf98c140772bc85df30d210f2082cb7b01b5148b
- SHA512
  
  bf385448e4791a67e6fd79cc2310835320c7c590e95d2933eb661a5fd41712f8f6d3760410d733757effc08da32160b58909b14f8eb295b68594efa885542ab9
- SSDEEP
  
  24576:C4Zv8wgIQYygkY9lA6pnLZGBrgxFdgLOjRFqD3Fd2U+1A4EKazGG7/52rhUVrp:CkYIhkeTYBrUyOjjU+1ArF/El+9
Score

10^/10

limerat persistence rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratpersistencerat

behavioral2

limeratpersistencerat