limerat | f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d | Triage

Sharing

General

Target

xdwd.exe
Size

25KB
Sample

241101-wmf49atfpr
MD5

aae04417cc07c39988d4fbe0e85fc9bd
SHA1

2d51b49f8f1faeba674dd0993911e8f65b4d2258
SHA256

f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d
SHA512

53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb
SSDEEP

384:EB+Sbj6NKIPw6LZhAHt2vTh34EnWb5j4kDhlzCTJEUmNYEYQro3lcOjsjr:CpI46Lnwt4aE+RHtN8oj

Score

10^/10

limerat credential_access discovery evasion persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

limerat

Attributes

aes_key
1337
antivm
false
c2_url
https://pastebin.com/raw/rACMKa5f
delay
3
download_payload
false
install
true
install_name
xdwd.exe
main_folder
AppData
pin_spread
false
sub_folder
\xdwd\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/rACMKa5f
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  xdwd.exe
- Size
  
  25KB
- MD5
  
  aae04417cc07c39988d4fbe0e85fc9bd
- SHA1
  
  2d51b49f8f1faeba674dd0993911e8f65b4d2258
- SHA256
  
  f81bc717944ec8a599c8276d9d3b1de4b995d5570139590d263b39e47e87ba3d
- SHA512
  
  53cc6468da9be1f4a3cc3089b1ed6a7544eb5cc5f91ae8dc1390688ffe10ad9aff1df224a5cd936276440ee95cb4afcaec7cf4f63332297864179c3266560dfb
- SSDEEP
  
  384:EB+Sbj6NKIPw6LZhAHt2vTh34EnWb5j4kDhlzCTJEUmNYEYQro3lcOjsjr:CpI46Lnwt4aE+RHtN8oj
Score

10^/10

limerat discovery rat credential_access evasion persistence privilege_escalation spyware stealer
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Limerat family
  limerat
- Modifies RDP port number used by Windows
- Modifies Windows Firewall
  evasion
- Server Software Component: Terminal Services DLL
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Server Software Component

Terminal Services DLL

Privilege Escalation

Boot or Logon Autostart Execution

Winlogon Helper DLL

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Scheduled Task/Job

Scheduled Task

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Remote Services

Remote Desktop Protocol

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoveryrat

behavioral2

limeratdiscoveryrat

behavioral3

limeratcredential_accessdiscoveryevasionpersistenceprivilege_escalationratspywarestealer

behavioral4

limeratdiscoveryrat

behavioral5

limeratdiscoveryrat