limerat | a4c1fac56d90b4e04cbb6882b82e8ca5be9ea05d41daf591aeec2f8a2ed01190 | Triage

Sharing

General

Target

346429703abf3da7cb4dae7e1d7762d5_JaffaCakes118
Size

958KB
Sample

241011-mpx14stblp
MD5

346429703abf3da7cb4dae7e1d7762d5
SHA1

6bd5c22fecaa2aa5f4fb1520559578eb58f6f4eb
SHA256

a4c1fac56d90b4e04cbb6882b82e8ca5be9ea05d41daf591aeec2f8a2ed01190
SHA512

e4bd329565adddc05259b2922e28984a53a373e18735fd19c2d7b128b064598dc93527644d7d9774e2329643c9a96b7e05dbc2ea23c92c8de4c49c7582c63e9f
SSDEEP

6144:oAyQu6Uq2jvnC8NWo7ifUfph9/U2GaSGO990AEVf+VC:1UpDCUWqifek29SGi0FVfqC

Score

10^/10

limerat discovery evasion rat

Malware Config

Extracted

Family

limerat

Wallets

3GRaJ52TdJNnEZKLh8wvbmhPxr6Tf97C8L

Attributes

aes_key
NyanCat
antivm
true
c2_url
https://pastebin.com/raw/N3exjfnX
delay
3
download_payload
false
install
true
install_name
Nvidia GPU.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\
usb_spread
true

Targets

- Target
  
  346429703abf3da7cb4dae7e1d7762d5_JaffaCakes118
- Size
  
  958KB
- MD5
  
  346429703abf3da7cb4dae7e1d7762d5
- SHA1
  
  6bd5c22fecaa2aa5f4fb1520559578eb58f6f4eb
- SHA256
  
  a4c1fac56d90b4e04cbb6882b82e8ca5be9ea05d41daf591aeec2f8a2ed01190
- SHA512
  
  e4bd329565adddc05259b2922e28984a53a373e18735fd19c2d7b128b064598dc93527644d7d9774e2329643c9a96b7e05dbc2ea23c92c8de4c49c7582c63e9f
- SSDEEP
  
  6144:oAyQu6Uq2jvnC8NWo7ifUfph9/U2GaSGO990AEVf+VC:1UpDCUWqifek29SGi0FVfqC
Score

10^/10

limerat discovery evasion rat
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoveryevasionrat

behavioral2

limeratdiscoveryevasionrat