limerat

Sharing

Copy URL

Twitter E-mail

General

Target

MailRanger.rar
Size

193.0MB
Sample

240813-zxw51awdpd
MD5

523a37d5fae0771d17e6fdfd0d7d57d3
SHA1

6922a526480293402a379772214f50eb9ee0dff7
SHA256

7f7821072d79a0deb26affbf11a4e73d86bfae4a3ef05f9ae6d41757b06a3617
SHA512

184cb02123260a2c2fd2803f6d94d83c4d9c5f3836be0a668745732306cb555da60cfaca5248d4a41d2a130eaa435516dc4f1d17a91ce97526add83876316ed9
SSDEEP

6291456:YJP0TDV0zorf6XgTmaqS8Ly1Z0djIDkfVa:YSCcrf6XgTmaemOyN

Score

10^/10

Malware Config

Extracted

Family

limerat

Wallets

bc1qyej3qhu680rqc5akxac39r92g6a8g6r4708gyj

Attributes

aes_key
Test
antivm
true
c2_url
https://pastebin.com/raw/FU8V31pM
delay
3
download_payload
false
install
true
install_name
system32s.exe
main_folder
AppData
pin_spread
true
sub_folder
\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/FU8V31pM
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  MailRanger/237K HQ Skull.XYZ.txt
- Size
  
  7.6MB
- MD5
  
  99ef76358aa57161ac59ad79ffdde5a4
- SHA1
  
  6f392ff91091934814cc03e7fee0161a1ac30892
- SHA256
  
  289a102a971e2a5963f26be67ac48de8a10e1b60cec3e7f00939e153e2de08a9
- SHA512
  
  82db1c5a3262e8707907ea07af63e8530b443219f16e77c1de62c7938530f4d70d3014c84d394df4b5690b1ec599738bb59559451080d26ea4de77bc2ac4fb95
- SSDEEP
  
  49152:LDI39bQTqvVpp6kdrMrXj2rDPcnhM6GxocmL/A3TWhFuObJLJ5wLvnbZR0aEfFXu:g
Score

3^/10
behavioral1 behavioral2
- Target
  
  MailRanger/MailRanger.exe
- Size
  
  39.6MB
- MD5
  
  e98e7fec9ca811fcb78a2392bb434d82
- SHA1
  
  79be845afbc17f2f1bc048db34365a586b83ca74
- SHA256
  
  090a400f85935543d2d2097e88d4c82c11be639d5684a32829dcc695184c9ed6
- SHA512
  
  c81d1ec816d437dceb00b7cd42aed737eda06fdd3ac141cd882cfb0ea1652c8b0342642c815a333f22864c3bd782c120f8aa79f2dfa86fa5b64d10a939f904a5
- SSDEEP
  
  786432:ZrZr4zMnXWGlso5EYW4/YR+XmjsNNWonlSAmqRo1xnaHR/IG2cGP2suJNOMat:tiMXZd5Eu/J2jsNNBlSAmKo1xWRWcI2W
Score

7^/10

discovery
- Loads dropped DLL
behavioral3 behavioral4
- Target
  
  MailRanger.pyc
- Size
  
  24KB
- MD5
  
  d3f1925a0de7aff280676bf40cef2647
- SHA1
  
  87fdee3d6cff7588588a16d60833efd8f31f89a1
- SHA256
  
  95d64c79016a31cb44db60a4c4fe4519cb871420c89916918107814362190850
- SHA512
  
  4e625ffa1ecef5643642f1340d09ecaa31caea94a4de0df2323332e4c04b0bdf2069c007810284f7d801211858db6ccfb595b5953925eb300152d29982f821d2
- SSDEEP
  
  768:Lujx83lNLKFJNg9h2DQo3f7nFhTOQA9wsyPq:SM8JNgHJ2nTC
Score

3^/10
behavioral5 behavioral6
- Target
  
  MailRanger/MailUpdate.exe
- Size
  
  69KB
- MD5
  
  02192b904bdd1c545a82d8baad0ded6e
- SHA1
  
  d56dc9551b0a852cd94531ffeccdaba2328170e8
- SHA256
  
  d6568d47cb39b9220273fc4c1c7dda6403203f4952b81fe9790d19050e07114d
- SHA512
  
  00ede17e9a2c9eea4083f62f39dd1e736598418a9ecc3f35d14443682390a18ed76e9626925cf52640f536bdfae6dc656eddb8c22a7ee8e20f86f3550265d3ce
- SSDEEP
  
  1536:ZpgFwaqSZHFVGW+AasLQxFm5gUWd+0LDyjofAWZgzR:nIwadZHFoaQzm9FIDyjoY5V
Score

10^/10

limerat discovery rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral7 behavioral8
- Target
  
  MailRanger/Mailranger2.ini
- Size
  
  368B
- MD5
  
  c1345b2daa13a0210930e750b128ed19
- SHA1
  
  1dbc019660afede862e7fbeb951eecd03406c84c
- SHA256
  
  df0f2439bdd2c48ac97b90d8f86b7532a92e9206dc6c2bf7186e4886fa06bf1e
- SHA512
  
  ce48dc7449b3d3f7016d69d514ebb528d96a0e9e8fd3a013d1d14668eb046b8919cb9f55662602542d78ab980b3e66630722402c6c9afe7aa98a3c5f62ae0735
Score

3^/10
behavioral10 behavioral9
- Target
  
  MailRanger/Przeczytaj!!!!.txt
- Size
  
  867B
- MD5
  
  d140a8df31fcb29ddeed617863e74e4c
- SHA1
  
  8488f312855cce2422133364e7ec9af84c1ec4a3
- SHA256
  
  736956270904a1bbfafe5c6491f04ed0519c4641051a6a1fa190f5c68d3301e8
- SHA512
  
  2bdead276770043ba5138ad79627d79b110f2defcf76aa6cbf8da74abfb182b3487677370bd8adae59b85993a0876c9ac3caced0b61b01d88410f10fd9353da8
Score

3^/10
behavioral11 behavioral12
- Target
  
  MailRanger/ServerList
- Size
  
  68.0MB
- MD5
  
  f1f17b6d45477bb962a570739911c9fe
- SHA1
  
  ad89ab63f9a2ba27270308155d35ceb62c1e408a
- SHA256
  
  84b7f079ab17c3f0454176a445b596c3898dac44b0f4f0d4a08b8a53bacf082c
- SHA512
  
  bfc454b24b91c2a2aadd056be8ce2f0cce4089c7f5c5226cbde0d193d3c22cb48bfbd6d530d16693f28192258601612123c5cc897095ed1507de83b7dca15042
- SSDEEP
  
  49152:4z4hS8nv+VbuQWE+LclyO/u3jNobFhWWodMAcpD740VM37/riaFNO5tzcheewZJU:n
Score

1^/10
behavioral13 behavioral14
- Target
  
  MailRanger/how to mail_1.mp4
- Size
  
  102.5MB
- MD5
  
  c3fd4ba9f6aaaa629dfd41778be61eab
- SHA1
  
  d9c6c995d4db387c763aaf0dda3ea41ca8904710
- SHA256
  
  0bda1925009f26fd58dcd3376c2da5b28753c6f1f022a8388ff928825d03ebbf
- SHA512
  
  308a695d6c61deed48adbe279bebbdb59f302c152b24321744de3a2202941289ddf79b0c6f379c92c71abe043132421aa65da5b876d056efd006cb0f725b3be3
- SSDEEP
  
  3145728:nQi1aKHLGIxyq6pEn/Fqs49QkP8vi8FsBwU:nQrNq0EcV9lPz8NU
Score

6^/10

discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral15 behavioral16
- Target
  
  MailRanger/socks4_proxies.txt
- Size
  
  15KB
- MD5
  
  6e00109cfc1675d5de825f1b57f8f8ef
- SHA1
  
  d23c23d948f47d69fb298200bfcf6c8849d37488
- SHA256
  
  a003ef5204817b8c9249cdaa949aa87bdc55315afba57ec098cdee8c9870040d
- SHA512
  
  822de0e7281e4734a5297abb9eff77ef76e6e18cc93fb3edf556c9231b5608acbae20e44760dcaefb549944d13b62a446059f889e54de7fbc0428677d1be14aa
- SSDEEP
  
  192:cP3YMK5j88KaB+ZeQV7QA7mmrF0xpV96/Q56iDVx4y6siQJnTt0Oh8WCedl8QMH0:cPETy6D5pZzbxqr4
Score

3^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18