limerat | f045fb1743e8dc5132304b897f9582ddf01881d76b3d34af97a5114157c1ed5e | Triage

Submit
Reports

Overview

overview

Static

static

BlackSkullV2.exe

windows10-1703-x64

Sharing

General

Target

BlackSkullV2.exe
Size

51KB
Sample

240930-k1badawgpq
MD5

07eabc6db5de229a160ef35ef2520b93
SHA1

2000b5046d2cfe5efe9ef9fe2c781a0e2362cb59
SHA256

f045fb1743e8dc5132304b897f9582ddf01881d76b3d34af97a5114157c1ed5e
SHA512

e4ebd9577a2f6e2e41d9214dce243d63bee6f4e98562df659647b5e37fd16c9624ae7068607563e55314f40a10be7d5dd3c22875446b69b6b5b182edc2118ec4
SSDEEP

1536:kp8nwtTplnav3iWvSLkhm1SDdxYEokbz:O+wtTpln9oeqdaEf

Score

10^/10

limerat credential_access discovery ransomware rat spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

BlackSkullV2.exe

Resource

win10-20240404-en

limerat credential_access discovery ransomware rat spyware stealer

windows10-1703-x64

24 signatures

300 seconds

Malware Config

Extracted

Family

limerat

Attributes

aes_key
123499
antivm
false
c2_url
https://pastebin.com/raw/zwppgXcp
delay
3
download_payload
false
install
false
install_name
WindowsServices.exe
main_folder
Temp
pin_spread
false
sub_folder
\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/zwppgXcp
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  BlackSkullV2.exe
- Size
  
  51KB
- MD5
  
  07eabc6db5de229a160ef35ef2520b93
- SHA1
  
  2000b5046d2cfe5efe9ef9fe2c781a0e2362cb59
- SHA256
  
  f045fb1743e8dc5132304b897f9582ddf01881d76b3d34af97a5114157c1ed5e
- SHA512
  
  e4ebd9577a2f6e2e41d9214dce243d63bee6f4e98562df659647b5e37fd16c9624ae7068607563e55314f40a10be7d5dd3c22875446b69b6b5b182edc2118ec4
- SSDEEP
  
  1536:kp8nwtTplnav3iWvSLkhm1SDdxYEokbz:O+wtTpln9oeqdaEf
Score

10^/10

limerat credential_access discovery ransomware rat spyware stealer
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Renames multiple (5351) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

limeratcredential_accessdiscoveryransomwareratspywarestealer

© 2018-2025

Terms | Privacy