limerat

General

Target

4674e41064471788442b3b712c152414
Size

698KB
Sample

240106-rq95aabee4
MD5

4674e41064471788442b3b712c152414
SHA1

dbcf1543238fb33bd4ef817cda8148a8e2118375
SHA256

542c835beecdb583d91729b609d49a1e9e6072dce2148701faaa356723d241be
SHA512

84132c2ff04e50f04993d0ceb6ed2618b80d22cf5fc5e5bf4d6dcbe6fd3d5ead30dba2951c0df9dab392b1c96c1463114fe9bb98fd13e1bc4009ac6f5ab1ed5d
SSDEEP

12288:zkIUeiG2E73BzHjyOyHpBvygTUxieU66yI8ku/z0xast:lypBvygA8eU66yfgEst

Score

10^/10

Malware Config

Extracted

Family

limerat

Wallets

1NCY4zKfbzBA6apXnRcp4SEPaZc1xeYtzi

Attributes

aes_key
NYANCAT
antivm
false
c2_url
https://pastebin.com/raw/LJe9sUk5
delay
6
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

warzonerat

C2

businessdministration.webredirect.org:5292

Extracted

Family

njrat

Version

0.7.3

Botnet

OfficeH

C2

virtuallogoprepaidmax.duckdns.org:6527

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
1904

Targets

- Target
  
  4674e41064471788442b3b712c152414
- Size
  
  698KB
- MD5
  
  4674e41064471788442b3b712c152414
- SHA1
  
  dbcf1543238fb33bd4ef817cda8148a8e2118375
- SHA256
  
  542c835beecdb583d91729b609d49a1e9e6072dce2148701faaa356723d241be
- SHA512
  
  84132c2ff04e50f04993d0ceb6ed2618b80d22cf5fc5e5bf4d6dcbe6fd3d5ead30dba2951c0df9dab392b1c96c1463114fe9bb98fd13e1bc4009ac6f5ab1ed5d
- SSDEEP
  
  12288:zkIUeiG2E73BzHjyOyHpBvygTUxieU66yI8ku/z0xast:lypBvygA8eU66yfgEst
Score

10^/10

limerat neshta njrat warzonerat officeh agilenet infostealer persistence rat spyware trojan
- Detect Neshta payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Warzone RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Detect Neshta payload

Neshta

WarzoneRat, AveMaria

njRAT/Bladabindi

Warzone RAT payload

Checks computer location settings

Drops startup file

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2