limerat

General

Target

bb2de5629dfeb812b45fb00a6fbadf4e_JaffaCakes118
Size

61KB
Sample

240618-hmmp5s1grc
MD5

bb2de5629dfeb812b45fb00a6fbadf4e
SHA1

e3a3642264eae88eba72c67933057f2dfc2dd2b6
SHA256

fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
SHA512

3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d
SSDEEP

1536:2qGaT/1sMrcvwms7Glz0DKVLcBCAGLq1ZjTj:2qRaMrUwmuvDWLcBCAGL8j

Score

10^/10

limerat rat

Malware Config

Extracted

Family

limerat

Wallets

1d15EibWVaZg8KADH1wR5phqhtyhbbdCc

Attributes

aes_key
batata1
antivm
true
c2_url
https://pastebin.com/raw/hqkeiAWx
delay
3
download_payload
false
install
true
install_name
twvrsvc.exe
main_folder
AppData
pin_spread
false
sub_folder
\TeamViewer\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/hqkeiAWx
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  bb2de5629dfeb812b45fb00a6fbadf4e_JaffaCakes118
- Size
  
  61KB
- MD5
  
  bb2de5629dfeb812b45fb00a6fbadf4e
- SHA1
  
  e3a3642264eae88eba72c67933057f2dfc2dd2b6
- SHA256
  
  fc790cea14d04d9090ab085b585a8017ad469ebbce5c9d29c8d877ccf9e3efbf
- SHA512
  
  3d3a250e9c6ca842daf90d9b666796dc7e8cebce83ed3ab972db052f60fc70418c7aa3f45f45b0ab61f63e7621d147620f20734bc8556e6d614c49abb7eba28d
- SSDEEP
  
  1536:2qGaT/1sMrcvwms7Glz0DKVLcBCAGLq1ZjTj:2qRaMrUwmuvDWLcBCAGL8j
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral1 behavioral2
- Target
  
  Cure Tool.exe
- Size
  
  9KB
- MD5
  
  7658c455f3acdc2b574da9f863855f01
- SHA1
  
  c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32
- SHA256
  
  8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc
- SHA512
  
  7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730
- SSDEEP
  
  192:QB+LppLO0OTdyFnEKxx0hRu6nC48MqlkzpwIqyi:k+FRYxKxWhRXC48Ezpwdy
Score

1^/10
behavioral3 behavioral4
- Target
  
  tvsxwrc.exe
- Size
  
  28KB
- MD5
  
  7374806e51b404de9c639cbff4226eed
- SHA1
  
  6c7466e48018fa00ccf53a24615448117697f494
- SHA256
  
  5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f
- SHA512
  
  5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7
- SSDEEP
  
  768:bzRbFf8Wp2hBhLXCidmDUjFQuval1IjyJ:fNp8Wp2hBhui8kFfgqjO
Score

10^/10

limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral5 behavioral6