limerat | b31de3ea02144147649b6d3f04abf7b6186a5e783a63bb3b04a3552c153a397f | Triage

Sharing

General

Target

8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118
Size

66KB
Sample

240811-vpxdksyenl
MD5

8b3c21db4e4189d00b8da6db22ae7387
SHA1

6bd9edd982bb103c21b2a3072c16d0274d692f8e
SHA256

b31de3ea02144147649b6d3f04abf7b6186a5e783a63bb3b04a3552c153a397f
SHA512

1e551f14c66cdfd790c7cf8700e166dbfda95283b2247d200c02516ab676cebc0b6263250554436195efe2e8956be2d8406ebe82b7bee611fc238a9ff0fc86d2
SSDEEP

1536:J13Mt0qGK+wM0+nXdNPdwjgu3n3ipmC/k/qSAa0iUHXSjUXCOyZGqL:J13Mt7P+wM0+nXdtejgu3nypr/7RLXSZ

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Attributes

aes_key
IRj3SceatjDfweW/qMMw7g==
antivm
true
c2_url
https://pastebin.com/raw/p8Be8nNX
delay
3
download_payload
false
install
true
install_name
Windows Update.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\Windows\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/p8Be8nNX
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  8b3c21db4e4189d00b8da6db22ae7387_JaffaCakes118
- Size
  
  66KB
- MD5
  
  8b3c21db4e4189d00b8da6db22ae7387
- SHA1
  
  6bd9edd982bb103c21b2a3072c16d0274d692f8e
- SHA256
  
  b31de3ea02144147649b6d3f04abf7b6186a5e783a63bb3b04a3552c153a397f
- SHA512
  
  1e551f14c66cdfd790c7cf8700e166dbfda95283b2247d200c02516ab676cebc0b6263250554436195efe2e8956be2d8406ebe82b7bee611fc238a9ff0fc86d2
- SSDEEP
  
  1536:J13Mt0qGK+wM0+nXdNPdwjgu3n3ipmC/k/qSAa0iUHXSjUXCOyZGqL:J13Mt7P+wM0+nXdtejgu3nypr/7RLXSZ
Score

10^/10

limerat discovery rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoveryrat

behavioral2

limeratdiscoveryrat