limerat | 729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5 | Triage

Sharing

General

Target

93a51bb3d03a1cebf76e63d8bdb3af04
Size

684KB
Sample

231226-2n5f5ahdgn
MD5

93a51bb3d03a1cebf76e63d8bdb3af04
SHA1

0868306dcb3a1f21fdda94e7125ad3aa2ad2dfa9
SHA256

729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5
SHA512

17c69bdbfbe71e80dbca83b967b6d9d77a4f63e0ea46b4c418ed7b3f318cda4603c8245b06a4d67a897baf8d8c2899bfb5da2932b0aea52d8c217752eeccc830
SSDEEP

12288:0JOpPEhZTl8pBRxhHLMmyLgIO3GsaMJcR/Vn+R9KVYszf:0JyPEhZB8pBlHomy0IO3GsId+R9KV1f

Score

10^/10

limerat agilenet evasion rat trojan

Malware Config

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/tDBQY6gT
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  93a51bb3d03a1cebf76e63d8bdb3af04
- Size
  
  684KB
- MD5
  
  93a51bb3d03a1cebf76e63d8bdb3af04
- SHA1
  
  0868306dcb3a1f21fdda94e7125ad3aa2ad2dfa9
- SHA256
  
  729782176df07dcab88ca6d476c8b78b6b78a104d5df713a526cbf8baad1ddb5
- SHA512
  
  17c69bdbfbe71e80dbca83b967b6d9d77a4f63e0ea46b4c418ed7b3f318cda4603c8245b06a4d67a897baf8d8c2899bfb5da2932b0aea52d8c217752eeccc830
- SSDEEP
  
  12288:0JOpPEhZTl8pBRxhHLMmyLgIO3GsaMJcR/Vn+R9KVYszf:0JyPEhZB8pBlHomy0IO3GsId+R9KV1f
Score

10^/10

limerat agilenet evasion rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratagilenetevasionrattrojan

behavioral2