limerat | 2db5ed9ab6a2d81ca49933178f01d0e27455df3a113ba61e48dee0622a82a2c3 | Triage

Sharing

General

Target

ab52200ad0e49b4376f6e816e4cf84a1
Size

1.1MB
Sample

240228-h5sn4sea9s
MD5

ab52200ad0e49b4376f6e816e4cf84a1
SHA1

f1b157488357529c76d9e1ff4c9a5352ad1d0028
SHA256

2db5ed9ab6a2d81ca49933178f01d0e27455df3a113ba61e48dee0622a82a2c3
SHA512

81fd33be234c88e898fbd615c21434d0c4ef99238dab07aaa82cc5b5d39e25ac02da27ae724f8fa302139b997a69ef14683b07a20f8ed4a80ff273c60735c83e
SSDEEP

24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25t:/h+ZkldoPK8Ya971XjFtAt

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
3
download_payload
false
install
false
install_name
Winservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/cXuQ0V20
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  ab52200ad0e49b4376f6e816e4cf84a1
- Size
  
  1.1MB
- MD5
  
  ab52200ad0e49b4376f6e816e4cf84a1
- SHA1
  
  f1b157488357529c76d9e1ff4c9a5352ad1d0028
- SHA256
  
  2db5ed9ab6a2d81ca49933178f01d0e27455df3a113ba61e48dee0622a82a2c3
- SHA512
  
  81fd33be234c88e898fbd615c21434d0c4ef99238dab07aaa82cc5b5d39e25ac02da27ae724f8fa302139b997a69ef14683b07a20f8ed4a80ff273c60735c83e
- SSDEEP
  
  24576:4AHnh+eWsN3skA4RV1Hom2KXMmHa97aWtjzjFtuM25t:/h+ZkldoPK8Ya971XjFtAt
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2