limerat | eba4882c49c54030d463a2aaa2ac2392cfdb0b22c2b0b062eb862d04e7d16165 | Triage

Submit
Reports

Overview

overview

Static

static

3

d25339ece5...49.exe

windows7-x64

d25339ece5...49.exe

windows10-2004-x64

Sharing

General

Target

50b2b692da0c363e301709a28b30afaf.bin
Size

53KB
Sample

231122-b86a2sad8y
MD5

937827b3d505a9223c468c0e00434f54
SHA1

7d95568b829233a1815ac8c3dd70853df8702415
SHA256

eba4882c49c54030d463a2aaa2ac2392cfdb0b22c2b0b062eb862d04e7d16165
SHA512

795db7c1aae2d5096c1b135ebc3c8ced12a9d28f111c2352fac1e172654b22d51938cc56ce626729c10e601b1bbbe7ade506186a61c476a2051898d69d0c809d
SSDEEP

1536:vYpx45PO/GQm84juxZp4AvA0j7mco9vTM:AD45POHt4jBAvDSbM

Score

10^/10

limerat xworm microsoft persistence phishing rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe

Resource

win7-20231023-en

limerat xworm persistence rat trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe

Resource

win10v2004-20231023-en

limerat xworm microsoft persistence phishing rat trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

162.212.154.8:41589

Mutex

1fGBFdYzxtDnKgy4

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574

aes.plain

Extracted

Family

limerat

Attributes

aes_key
devil
antivm
false
c2_url
https://pastebin.com/raw/rPy10VvM
delay
3
download_payload
false
install
true
install_name
Windows Session Manager.exe
main_folder
AppData
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Targets

- Target
  
  d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe
- Size
  
  66KB
- MD5
  
  50b2b692da0c363e301709a28b30afaf
- SHA1
  
  098e00413ba405bcc72b71a5869c2d151e93448a
- SHA256
  
  d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
- SHA512
  
  d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
- SSDEEP
  
  1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Score

10^/10

limerat xworm persistence rat trojan microsoft phishing
- Detect Xworm Payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

limeratxwormpersistencerattrojan

behavioral2

limeratxwormmicrosoftpersistencephishingrattrojan

© 2018-2025

Terms | Privacy