General
-
Target
267a4c85d232e2ac38129146e11076fe_JaffaCakes118
-
Size
625KB
-
Sample
240508-yqagzsfc46
-
MD5
267a4c85d232e2ac38129146e11076fe
-
SHA1
1e8022b879ee79f2fe86ecac410a116b05ac0112
-
SHA256
861b6c9421ebe142f5a3c13817190ab30b5b7b5e68692e886639589b784086e4
-
SHA512
793acc93adfe3c116674bf0ab4122ebe41335dd525034ca78f5f59408976fe62a27ce98a9cbebffa476186324447083f59ecdfa210fac4f872476adedb911567
-
SSDEEP
12288:iSJcHRFHvJTjucJ71RXKvGgKsfUReclQ42dFA3ADj6Dl18WlL0u:2RFHv5jDJDNmKlQ1dFAr0x
Malware Config
Extracted
limerat
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
-
aes_key
arglobal
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
delay
3
-
download_payload
true
-
install
false
-
install_name
Wservices.exe
-
main_folder
AppData
-
payload_url
http://23.249.161.100/zaher/zna.exe
-
pin_spread
false
-
sub_folder
\vbc\
-
usb_spread
false
Extracted
limerat
-
antivm
false
-
c2_url
https://pastebin.com/raw/CV5RHE9G
-
download_payload
false
-
install
false
-
pin_spread
false
-
usb_spread
false
Targets
-
-
Target
267a4c85d232e2ac38129146e11076fe_JaffaCakes118
-
Size
625KB
-
MD5
267a4c85d232e2ac38129146e11076fe
-
SHA1
1e8022b879ee79f2fe86ecac410a116b05ac0112
-
SHA256
861b6c9421ebe142f5a3c13817190ab30b5b7b5e68692e886639589b784086e4
-
SHA512
793acc93adfe3c116674bf0ab4122ebe41335dd525034ca78f5f59408976fe62a27ce98a9cbebffa476186324447083f59ecdfa210fac4f872476adedb911567
-
SSDEEP
12288:iSJcHRFHvJTjucJ71RXKvGgKsfUReclQ42dFA3ADj6Dl18WlL0u:2RFHv5jDJDNmKlQ1dFAr0x
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Drops startup file
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-