limerat

General

Target

svchost.exe
Size

242KB
Sample

240619-1x3s8atela
MD5

05e991bcf019b487f7ad4e896c77e988
SHA1

f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
SHA256

cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
SHA512

4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3
SSDEEP

6144:GpCE/UVPy/oCa+LDZWC9z5B0bmknq1difFN:6CzPygCa+DZ+nq1cT

Score

10^/10

Malware Config

Extracted

Family

limerat

Wallets

False

Attributes

aes_key
1
antivm
false
c2_url
https://pastebin.com/raw/GfV4LBjE
download_payload
true
install
true
install_name
svchost.exe
main_folder
False
payload_url
True
pin_spread
true
sub_folder
False
usb_spread
false

Extracted

Credentials

Protocol: ftp
Host:
ftp.encompossoftware.com
Port:
21
Username:
remoteuser
Password:
Encomposx99

Targets

- Target
  
  svchost.exe
- Size
  
  242KB
- MD5
  
  05e991bcf019b487f7ad4e896c77e988
- SHA1
  
  f4a93e4ce16dba10cdc835fe1ae71da3dd88f73a
- SHA256
  
  cb87011623c7e41c0a449814e76c887543e6e39e6ab3864c7cc3636dcf09e196
- SHA512
  
  4f4ee0153af79dbb6352b1382cbee3b5af72c64f827450d2a681fd2b3177304ac1c6626c055159facb84aca9f8ba6aa9d1265d5fb148080e566903949081cfb3
- SSDEEP
  
  6144:GpCE/UVPy/oCa+LDZWC9z5B0bmknq1difFN:6CzPygCa+DZ+nq1cT
Score

10^/10

limerat defense_evasion evasion execution impact ransomware rat trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies security service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
behavioral1 behavioral2