General

  • Target

    BLTools.exe

  • Size

    29KB

  • Sample

    241117-e27gbazras

  • MD5

    3a946215b3e2a3d8de77764e999a0eb0

  • SHA1

    af6a6d609a095abc66c753f02b0cb1bc739e6362

  • SHA256

    9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

  • SHA512

    f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

  • SSDEEP

    384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j

Score
10/10

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes
  • aes_key

    hakai

  • antivm

    true

  • c2_url

    https://pastebin.com/raw/GmxD75vS

  • delay

    5

  • download_payload

    false

  • install

    true

  • install_name

    MSVCHOST.exe

  • main_folder

    AppData

  • pin_spread

    true

  • sub_folder

    \Microsoftt\

  • usb_spread

    true

Extracted

Family

limerat

Attributes
  • antivm

    false

  • c2_url

    https://pastebin.com/raw/GmxD75vS

  • download_payload

    false

  • install

    false

  • pin_spread

    false

  • usb_spread

    false

Targets

    • Target

      BLTools.exe

    • Size

      29KB

    • MD5

      3a946215b3e2a3d8de77764e999a0eb0

    • SHA1

      af6a6d609a095abc66c753f02b0cb1bc739e6362

    • SHA256

      9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

    • SHA512

      f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

    • SSDEEP

      384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j

    Score
    10/10
    • LimeRAT

      Simple yet powerful RAT for Windows machines written in .NET.

    • Limerat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks