limerat | 413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17 | Triage

Submit
Reports

Overview

overview

Static

static

3

new.exe

windows10-1703-x64

Sharing

General

Target

new.exe
Size

45KB
Sample

240929-yf2tgs1erb
MD5

078f1a2a913ba70371d443044db7cc40
SHA1

44010076b38bec2436aa1b853a9670090852744a
SHA256

413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17
SHA512

5d541ba26857f1d6c94a74aa66452b9471b516dc3db08e185774a6e4058f6a727a803872e9e1bc9586ac50f3abcb762fc3c28598c785e6ec441fb8da2e725e8e
SSDEEP

768:Tzl6vbR77QVBgqtpYhoQWxZIiqBXWPXCN8z5us0BOHtokRCvM+T+rU0mdId1/:3UbR7IDmJBXWJ51nHtokRcM+u5H/

Score

10^/10

limerat discovery persistence privilege_escalation rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

new.exe

Resource

win10-20240404-en

limerat discovery persistence privilege_escalation rat

windows10-1703-x64

23 signatures

300 seconds

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123499
antivm
false
c2_url
https://pastebin.com/raw/ZJ0Dhft2
delay
3
download_payload
false
install
false
install_name
Wservices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/ZJ0Dhft2
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  new.exe
- Size
  
  45KB
- MD5
  
  078f1a2a913ba70371d443044db7cc40
- SHA1
  
  44010076b38bec2436aa1b853a9670090852744a
- SHA256
  
  413fe778ab59f6f665df797beb735c0fcd5b43ef69c24095114284c65a257d17
- SHA512
  
  5d541ba26857f1d6c94a74aa66452b9471b516dc3db08e185774a6e4058f6a727a803872e9e1bc9586ac50f3abcb762fc3c28598c785e6ec441fb8da2e725e8e
- SSDEEP
  
  768:Tzl6vbR77QVBgqtpYhoQWxZIiqBXWPXCN8z5us0BOHtokRCvM+T+rU0mdId1/:3UbR7IDmJBXWJ51nHtokRcM+u5H/
Score

10^/10

limerat discovery persistence privilege_escalation rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoverypersistenceprivilege_escalationrat

© 2018-2024

Terms | Privacy