limerat | 31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328 | Triage

Sharing

General

Target

259d498a10482929d3331458526047e5_JaffaCakes118
Size

78KB
Sample

240508-te6ntseg69
MD5

259d498a10482929d3331458526047e5
SHA1

9808b64e9dee325393374884344b18e37570a135
SHA256

31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
SHA512

c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb
SSDEEP

1536:MkeH1wzPeje9dZld4WwA2z7efZCJrChYZ1sCUpW7c:emmjWLdbwA2LJrQYZ1sCUpW7c

Score

10^/10

limerat evasion persistence rat trojan

Malware Config

Extracted

Family

limerat

Attributes

aes_key
EIYV1V9YH5dE7u4B6kXr
antivm
true
c2_url
https://pastebin.com/raw/LtRQn6ir
delay
3
download_payload
false
install
true
install_name
mswebhook.exe
main_folder
AppData
pin_spread
false
sub_folder
\edge\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/LtRQn6ir
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  259d498a10482929d3331458526047e5_JaffaCakes118
- Size
  
  78KB
- MD5
  
  259d498a10482929d3331458526047e5
- SHA1
  
  9808b64e9dee325393374884344b18e37570a135
- SHA256
  
  31e5ee4bfed3bc1e491d75bf07958d0141264d736fd25d883125054d4f4d9328
- SHA512
  
  c7dc6460662d59fbe319b56e5a401d2b642aaa6fb5d237ea7a68aaa6df9f39267a0e10ab6bad8156614b9051c9f7d6947d76999bbc313c3153ec8aca63e37ecb
- SSDEEP
  
  1536:MkeH1wzPeje9dZld4WwA2z7efZCJrChYZ1sCUpW7c:emmjWLdbwA2LJrQYZ1sCUpW7c
Score

10^/10

limerat evasion persistence rat trojan
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Looks for VMWare Tools registry key
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratevasionpersistencerattrojan

behavioral2

limeratevasionpersistencerattrojan