General
-
Target
c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118
-
Size
225KB
-
Sample
240828-srpemstdmg
-
MD5
c71d20c012f7b4350c4a934afcd130f2
-
SHA1
a967ff6228345830899dbeb0a4471a22780ddea7
-
SHA256
2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3
-
SHA512
393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1
-
SSDEEP
1536:iyfFtVj5LJ0DJ90D97D9uYGnS7XlaOFE56i504iiF/wZHVN:iyfDyRSE8E57/jFWT
Malware Config
Extracted
limerat
359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8
-
aes_key
zynova@56070
-
antivm
false
-
c2_url
https://pastebin.com/raw/PyH9MBfx
-
delay
3
-
download_payload
false
-
install
false
-
install_name
Wservices.exe
-
main_folder
Temp
-
pin_spread
true
-
sub_folder
\
-
usb_spread
true
Targets
-
-
Target
c71d20c012f7b4350c4a934afcd130f2_JaffaCakes118
-
Size
225KB
-
MD5
c71d20c012f7b4350c4a934afcd130f2
-
SHA1
a967ff6228345830899dbeb0a4471a22780ddea7
-
SHA256
2f3be58f9ca7d71598eade319b93130b0276d58baceb12c3fc656387a97c51e3
-
SHA512
393e51cc49e885095718896e9c5313dc9f8d10d8410f062b051b7ddad06c4518214444df1e91e62adc81a73cb14f27dd3a86eeea8ea1218a1edca9a6f01329f1
-
SSDEEP
1536:iyfFtVj5LJ0DJ90D97D9uYGnS7XlaOFE56i504iiF/wZHVN:iyfDyRSE8E57/jFWT
Score10/10-
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
-
Drops startup file
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-