limerat | bb93d16760825fb1ef7127af898b6b1e0be7e9829d0bffae4b7c0d2bdec58101 | Triage

Sharing

General

Target

8e4bee2b8683f28b25140d3cb1e81761_JaffaCakes118
Size

522KB
Sample

240602-q5fnjsea6v
MD5

8e4bee2b8683f28b25140d3cb1e81761
SHA1

cc4de5579b8f6e96ed2feceacb4f05483533e003
SHA256

bb93d16760825fb1ef7127af898b6b1e0be7e9829d0bffae4b7c0d2bdec58101
SHA512

665a02d1ae0f3f85a968ad29fba913a4fe7f2a3e58c8b73713d8f9d6ea990219b1b16b5126e4ec1e2afe194e7c3c3f93a08579ea04857f32b6baedf8adf7b44c
SSDEEP

12288:30/VlIyo8VLtGekSe0MylJCtcZkbAPEXe0FROFz9uTo6ubxsVsYRiSse8b5tDEV0:kIv+lJCtcZkbAPEXRGCuIsYYNHtD9t

Score

10^/10

limerat persistence rat

Malware Config

Extracted

Family

limerat

Wallets

359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8

Attributes

aes_key
arglobal
antivm
false
c2_url
https://pastebin.com/raw/CV5RHE9G
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/CV5RHE9G
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  8e4bee2b8683f28b25140d3cb1e81761_JaffaCakes118
- Size
  
  522KB
- MD5
  
  8e4bee2b8683f28b25140d3cb1e81761
- SHA1
  
  cc4de5579b8f6e96ed2feceacb4f05483533e003
- SHA256
  
  bb93d16760825fb1ef7127af898b6b1e0be7e9829d0bffae4b7c0d2bdec58101
- SHA512
  
  665a02d1ae0f3f85a968ad29fba913a4fe7f2a3e58c8b73713d8f9d6ea990219b1b16b5126e4ec1e2afe194e7c3c3f93a08579ea04857f32b6baedf8adf7b44c
- SSDEEP
  
  12288:30/VlIyo8VLtGekSe0MylJCtcZkbAPEXe0FROFz9uTo6ubxsVsYRiSse8b5tDEV0:kIv+lJCtcZkbAPEXRGCuIsYYNHtD9t
Score

10^/10

limerat persistence rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratpersistencerat

behavioral2

limeratpersistencerat