limerat | hxxps://gofile[.]io/d/iPa1AU | Triage

Sharing

General

Target

https://gofile.io/d/iPa1AU
Sample

240929-x98y8a1eje

Score

10^/10

limerat credential_access discovery evasion persistence privilege_escalation ransomware rat spyware stealer

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123499
antivm
false
c2_url
https://pastebin.com/raw/ZJ0Dhft2
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/ZJ0Dhft2
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  https://gofile.io/d/iPa1AU
Score

10^/10

limerat credential_access discovery evasion persistence privilege_escalation ransomware rat spyware stealer
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Renames multiple (5262) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- Modifies RDP port number used by Windows
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

urlscan1

behavioral1

limeratcredential_accessdiscoveryevasionpersistenceprivilege_escalationransomwareratspywarestealer