limerat | 4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620 | Triage

Sharing

General

Target

2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118
Size

452KB
Sample

240509-t4tqkabf81
MD5

2ae2ff3322d02131f692ace1f71aac6d
SHA1

3c404c9bc2a1fdb546e74dca66e35f4742687679
SHA256

4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
SHA512

683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
SSDEEP

6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+

Score

10^/10

limerat agilenet rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
jack
antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/YtyeDvFZ
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  2ae2ff3322d02131f692ace1f71aac6d_JaffaCakes118
- Size
  
  452KB
- MD5
  
  2ae2ff3322d02131f692ace1f71aac6d
- SHA1
  
  3c404c9bc2a1fdb546e74dca66e35f4742687679
- SHA256
  
  4dda0e4e2597929c136fdbe763d1dd3899253f4188697ea555c71c5996029620
- SHA512
  
  683e750d9fc6a9f32a45d680e1db634b3eb071b70b441fc5a1fe7fbc2d1f496d1d4676136d58e3e5458614f10eb4d80f80726eab589186b6b788b51d8190da53
- SSDEEP
  
  6144:4hEFvdiblx6L10wOq1MXuDGCdWJPAzu9Tjz4/ri3F5fGTeQD4K9yYC5IzrvsKeT:43Pq1uuD/uE+DfGCQDSZ5m+
Score

10^/10

limerat agilenet rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratagilenetrat

behavioral2

limeratagilenetrat