limerat | ef2a510aa2f3657c32deab53ec3fc80edd2bec58ac0da22e095513884e7043bc | Triage

Submit
Reports

Overview

overview

Static

static

3

fb8afa9be7...18.exe

windows7-x64

8

fb8afa9be7...18.exe

windows10-2004-x64

Sharing

General

Target

fb8afa9be7cd9b09165d39421503ebfd_JaffaCakes118
Size

1.7MB
Sample

240928-fjn3paxhmp
MD5

fb8afa9be7cd9b09165d39421503ebfd
SHA1

2919894445553dae0a5f97697cb5db0df965166e
SHA256

ef2a510aa2f3657c32deab53ec3fc80edd2bec58ac0da22e095513884e7043bc
SHA512

ba102f2e15540ade3990b82982be66b53db728d4929486477f63246646fc5559c294c5abb4cafdd989cf4adca090bdd5dd250c8ed38bb24a8e08e80e2cf824b3
SSDEEP

24576:Ak70TrcTvLK7koq/KtGm0kaSv/o+6207Bh9n1bUPrYTDpGEQ097U2T/DPFraw5kp:AkQTATTK73uSo37Bh968DpG+97U2TDAl

Score

10^/10

limerat discovery execution rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

fb8afa9be7cd9b09165d39421503ebfd_JaffaCakes118.exe

Resource

win7-20240903-en

discovery execution

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

fb8afa9be7cd9b09165d39421503ebfd_JaffaCakes118.exe

Resource

win10v2004-20240802-en

limerat discovery execution rat

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Targets

- Target
  
  fb8afa9be7cd9b09165d39421503ebfd_JaffaCakes118
- Size
  
  1.7MB
- MD5
  
  fb8afa9be7cd9b09165d39421503ebfd
- SHA1
  
  2919894445553dae0a5f97697cb5db0df965166e
- SHA256
  
  ef2a510aa2f3657c32deab53ec3fc80edd2bec58ac0da22e095513884e7043bc
- SHA512
  
  ba102f2e15540ade3990b82982be66b53db728d4929486477f63246646fc5559c294c5abb4cafdd989cf4adca090bdd5dd250c8ed38bb24a8e08e80e2cf824b3
- SSDEEP
  
  24576:Ak70TrcTvLK7koq/KtGm0kaSv/o+6207Bh9n1bUPrYTDpGEQ097U2T/DPFraw5kp:AkQTATTK73uSo37Bh968DpG+97U2TDAl
Score

10^/10

discovery execution limerat rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

limeratdiscoveryexecutionrat

© 2018-2024

Terms | Privacy