limerat | e7cd0497b023abce64dd810008aee19cf8cc8fb690b5bf2ff7af2ad22e9b5443 | Triage

Sharing

General

Target

f32a06f174f4bdc3b9d9eb6f385a8355_JaffaCakes118
Size

480KB
Sample

240924-jqpjkswflr
MD5

f32a06f174f4bdc3b9d9eb6f385a8355
SHA1

59f279a71621a554477c530cf357e5d1c246421c
SHA256

e7cd0497b023abce64dd810008aee19cf8cc8fb690b5bf2ff7af2ad22e9b5443
SHA512

1f9740cc1cb725e63cdb645e2ffac3bd45333fe5d0f87610e2bf275ab4d8dce1114fcea9e2886b36db9a2b562d3505e8f78be9ad513ea5f3ce95ff094ac34123
SSDEEP

3072:aKEIcktGAb5i21yuv8N6eDZj5V+kbYNYtpiwTYYx64szIgWXJItkSrC:apkXo21Hv8N6e9jgNhwzoBcmr

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

359Z6KxMenwvgkA7vpGeBtinJPTj5raZz8

Attributes

aes_key
arglobal
antivm
false
c2_url
https://pastebin.com/raw/CV5RHE9G
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/CV5RHE9G
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  f32a06f174f4bdc3b9d9eb6f385a8355_JaffaCakes118
- Size
  
  480KB
- MD5
  
  f32a06f174f4bdc3b9d9eb6f385a8355
- SHA1
  
  59f279a71621a554477c530cf357e5d1c246421c
- SHA256
  
  e7cd0497b023abce64dd810008aee19cf8cc8fb690b5bf2ff7af2ad22e9b5443
- SHA512
  
  1f9740cc1cb725e63cdb645e2ffac3bd45333fe5d0f87610e2bf275ab4d8dce1114fcea9e2886b36db9a2b562d3505e8f78be9ad513ea5f3ce95ff094ac34123
- SSDEEP
  
  3072:aKEIcktGAb5i21yuv8N6eDZj5V+kbYNYtpiwTYYx64szIgWXJItkSrC:apkXo21Hv8N6e9jgNhwzoBcmr
Score

10^/10

limerat discovery rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoveryrat

behavioral2

limeratdiscoveryrat