Overview

overview

10

Static

static

10

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e416d0dbd3c5dc595ed19abafef21b70c10093c82d2ea57fe19ac0a9abb01af

  • Size

    28KB

  • Sample

    240327-pt5mvsfd4v

  • MD5

    e3c80bd4160a930c6a18814bd404f114

  • SHA1

    ba054718db83cb3bc88cbffc0e744f970284012a

  • SHA256

    9e416d0dbd3c5dc595ed19abafef21b70c10093c82d2ea57fe19ac0a9abb01af

  • SHA512

    44e1555c5676e7e861a7156cc6c1d0a1d2c07596445f6d468b26311220b398b521b6ebe09b61abdebfc63f1d358b2ddd18a8f079dea88398696587f511814ea3

  • SSDEEP

    384:dB+Sbj6NKaxg67XAHtyfneqDh4Xe83/vDKNrCeJE3WNgcJZZ+/2Gbt8VQro3lcQD:3pay67Xwt6P83345NL82Gbt89Fj

Score
10/10
limeratrat

Malware Config

Extracted

Family

limerat

Attributes
  • aes_key

    987

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4n5d3XEf

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    system11.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \Microsoft\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/4n5d3XEf

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      9e416d0dbd3c5dc595ed19abafef21b70c10093c82d2ea57fe19ac0a9abb01af

    • Size

      28KB

    • MD5

      e3c80bd4160a930c6a18814bd404f114

    • SHA1

      ba054718db83cb3bc88cbffc0e744f970284012a

    • SHA256

      9e416d0dbd3c5dc595ed19abafef21b70c10093c82d2ea57fe19ac0a9abb01af

    • SHA512

      44e1555c5676e7e861a7156cc6c1d0a1d2c07596445f6d468b26311220b398b521b6ebe09b61abdebfc63f1d358b2ddd18a8f079dea88398696587f511814ea3

    • SSDEEP

      384:dB+Sbj6NKaxg67XAHtyfneqDh4Xe83/vDKNrCeJE3WNgcJZZ+/2Gbt8VQro3lcQD:3pay67Xwt6P83345NL82Gbt89Fj

    Score
    10/10
    limeratrat

    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

      ratlimerat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks