General
-
Target
a00578f7146ca07d408809a45a1ef9eb
-
Size
1.1MB
-
Sample
240216-lc9cyafh53
-
MD5
a00578f7146ca07d408809a45a1ef9eb
-
SHA1
3b59cebd2112fd08fe7e128d750eb3876763a3ef
-
SHA256
57a08a9176c41262cf25a6294d7a1aebf712835eb5d64876846e1aae46d19b0d
-
SHA512
85764827c35f26a69194fb108e21c28b7a4c69346d74d344b79d6c14061828f390c3e64d94a521fcaa6ccf776723679782807efa211f325f2c1bf20807379445
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM254:/h+ZkldoPK8Ya971XjFtA4
Malware Config
Extracted
limerat
1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty
-
aes_key
nulled
-
antivm
true
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Winservices.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\
-
usb_spread
true
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/cXuQ0V20
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
a00578f7146ca07d408809a45a1ef9eb
-
Size
1.1MB
-
MD5
a00578f7146ca07d408809a45a1ef9eb
-
SHA1
3b59cebd2112fd08fe7e128d750eb3876763a3ef
-
SHA256
57a08a9176c41262cf25a6294d7a1aebf712835eb5d64876846e1aae46d19b0d
-
SHA512
85764827c35f26a69194fb108e21c28b7a4c69346d74d344b79d6c14061828f390c3e64d94a521fcaa6ccf776723679782807efa211f325f2c1bf20807379445
-
SSDEEP
24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM254:/h+ZkldoPK8Ya971XjFtA4
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-