limerat | 9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

Analysis

max time kernel
1800s
max time network
1791s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools.exe
Size

29KB
MD5

3a946215b3e2a3d8de77764e999a0eb0
SHA1

af6a6d609a095abc66c753f02b0cb1bc739e6362
SHA256

9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e
SHA512

f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f
SSDEEP

384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes

aes_key
hakai
antivm
true
c2_url
https://pastebin.com/raw/GmxD75vS
delay
5
download_payload
false
install
true
install_name
MSVCHOST.exe
main_folder
AppData
pin_spread
true
sub_folder
\Microsoftt\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/GmxD75vS
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	BLTools.exe

Executes dropped EXE 1 IoCs

pid	Process
2032	MSVCHOST.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	MSVCHOST.exe
2032	MSVCHOST.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com
22	0.tcp.sa.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSVCHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe
2032	MSVCHOST.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	MSVCHOST.exe
Token: SeDebugPrivilege	2032	MSVCHOST.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1152	2184	BLTools.exe	96
PID 2184 wrote to memory of 1152	2184	BLTools.exe	96
PID 2184 wrote to memory of 1152	2184	BLTools.exe	96
PID 2184 wrote to memory of 2032	2184	BLTools.exe	98
PID 2184 wrote to memory of 2032	2184	BLTools.exe	98
PID 2184 wrote to memory of 2032	2184	BLTools.exe	98
PID 2032 wrote to memory of 2076	2032	MSVCHOST.exe	108
PID 2032 wrote to memory of 2076	2032	MSVCHOST.exe	108
PID 2032 wrote to memory of 2076	2032	MSVCHOST.exe	108
PID 2076 wrote to memory of 4944	2076	vbc.exe	110
PID 2076 wrote to memory of 4944	2076	vbc.exe	110
PID 2076 wrote to memory of 4944	2076	vbc.exe	110
PID 2032 wrote to memory of 4692	2032	MSVCHOST.exe	111
PID 2032 wrote to memory of 4692	2032	MSVCHOST.exe	111
PID 2032 wrote to memory of 4692	2032	MSVCHOST.exe	111
PID 2032 wrote to memory of 1696	2032	MSVCHOST.exe	113
PID 2032 wrote to memory of 1696	2032	MSVCHOST.exe	113
PID 2032 wrote to memory of 1696	2032	MSVCHOST.exe	113
PID 1696 wrote to memory of 4048	1696	vbc.exe	115
PID 1696 wrote to memory of 4048	1696	vbc.exe	115
PID 1696 wrote to memory of 4048	1696	vbc.exe	115

C:\Users\Admin\AppData\Local\Temp\BLTools.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1152
- C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe
  "C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\stj34mqi\stj34mqi.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF61732D613D548789287F9878BFFEEC4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fcvoglp3\fcvoglp3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ckafry4u\ckafry4u.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23BB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E94C602564C492C96811919083B38E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES2253.tmp

Filesize
5KB

MD5
56e3155be4992a99a77ee25caa1e42d1

SHA1
69381448d162e457fec9d13cce174c3b701d27e9

SHA256
559913daf6afe3737c713d738d074439f6cf6af9fd86e4cdac14910ff74be87e

SHA512
27ef896223e2a21087f8cb320a44cc21e71f1bb0b17341c9349e2068867f82da9ed1253e8d1ab846d6b88b01fbe283bc7e5a6aed5e516322fd7dd05efaad7930

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES23BB.tmp

Filesize
5KB

MD5
ab4853e3b42b177d42561bdb7e3bf6f2

SHA1
ccbf9b60db671609dc4bbadca2228c632d6e867f

SHA256
7d5595b094fc432091fe05fc42c5dd8b3a487e1f8709437618fc1d7e5340e354

SHA512
f8441feb0bfb9a69d5e392a1b2a4343b70a635047bb6640c9781a3be927d12ee0c5e1d791539703ac086cbceaecf900cf2da028b6e71eabd4236d1aa08616fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckafry4u\ckafry4u.0.vb

Filesize
241B

MD5
69ea20c4766627ecabe98f721938972e

SHA1
1189f4058c408a7f5c1c1f168cfa0012c033eea9

SHA256
988a9e08c8f6f5916462909109675793ea89360819b92a60a41223813285346a

SHA512
df7564fcd93744159747d938e3267fc3527d730d6844777c2539d705514698d93b93d0fbc3f253a8e209311226e6758deac5cc2500d5352fa7fba6c62f74e0f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckafry4u\ckafry4u.cmdline

Filesize
295B

MD5
3d071bdf25def7a579bb1e87baad25d9

SHA1
951becc982d4663df5d64ca188ca26bfe50f3a32

SHA256
2932318853d92f1af65fbc1da5f242eba0d84be03d79ec0139b8643bb39f971d

SHA512
96d8f174f7d3c24f7b95f830e63c5b2f4a5c1dbfc3a287712a7b9d74e1a0bdf5bc264ae6870d50b3c2b3cb4032f9192d8fed9d3f5fc318c316d4568b6a413dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvoglp3\fcvoglp3.0.vb

Filesize
240B

MD5
d6180730af87b7b73b73f831fae40def

SHA1
78d62798c98b7e166792e16a129592c250d3e6b3

SHA256
8aa2bb39b8c7c1994364a3601f314f15e2cd1449a24936404ca13fc228cbaec9

SHA512
5f7236d3422787d0faa5962b154a67050de96f0d64bd42806cbab5a34353292e1fbedc19c662cd48c4c9512496d3dac167e002530ae6979805778fa3ed7a7984

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcvoglp3\fcvoglp3.cmdline

Filesize
293B

MD5
9919d6c6ad2048fdff90c18736cafe3c

SHA1
71d2badbdbb1eee7f8b6e71464903a1c14b0b3a2

SHA256
8c194e7cfc00c211294c7556150bc7ae6a5f352b300cf146f3c5cadd94e992bd

SHA512
73d74c55427fd8cd3885811d97b940155fcc1dfcad7d28b80e195dde4db4eeb97df8e707cc623d2f108e37227fb5ddf2922def5c965e8bbb19bced0ec4b98a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\stj34mqi\stj34mqi.0.vb

Filesize
234B

MD5
7b82a86d5b55eb265e0e8a3810c6a216

SHA1
4dbf97bca0487379aca9dc16bbf4c2d28f0ad758

SHA256
841d648ef803f8f750d7af7f22eac9fde4cdaf9f16ea6196c123acdb2974d615

SHA512
b042a0f22c63da56fe8560c1801379c36d1cea63a8ca415c00e54be875c71e76cb80d9c39bb8f314bb78fc3e2c85fa4661d9068408ada185caf461a7d836a1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\stj34mqi\stj34mqi.cmdline

Filesize
282B

MD5
647c5dadaeb136f6c948de43cf3b5eb2

SHA1
74c73d86e1d67a15ba4f42265ba2de4a6598ad3a

SHA256
d247c1603e05db4b2c6ff9b7ca9ec8e23919d65f5e080dd4f6fea8c226ca575d

SHA512
166d3119ad6ca725f1d7e19526ea20e18c665cc3adafff2a94b133dcc378a68b169211e606f84c0876d2a73c4395ec23c063dfb8d28e9a14fae0709de9d253c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2E94C602564C492C96811919083B38E.TMP

Filesize
4KB

MD5
4162c05f88e8459f843325fddd58b73d

SHA1
585a582f7c4d9b218d68ca18d6cf46801b1db4fe

SHA256
3ffa4819f285544e028ad56d2ade2bf07599d569bb925812a0566deea7ae17fc

SHA512
cc2d732fe8f925df5d9c03b5f237dcbb5c9ca93d0878b2b29bbc635e9daec32a460e45510088831fd3e00015e01649df2b378db4a982f536cd1f1beabc102af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF61732D613D548789287F9878BFFEEC4.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\MicrosoftEdge.ico

Filesize
4KB

MD5
dfe08c8c6e8e1142309ac81d3ea765ec

SHA1
da81d0b263ca62dcc2deab48835cf1dc1e8dac0a

SHA256
04d17515c60ac7ec901b27e116fd1a965f529dcb20b3609df5b3cb58cff8e456

SHA512
2b4f91df4b9a75df3e7fc50733b795adaafc4d8ae323339fbb9a38309c6898a6b877f6fa6a2cb476f661d80a5f1969b284deef5c0a4439b221ddd8750bb102ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoftt\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe

Filesize
29KB

MD5
3a946215b3e2a3d8de77764e999a0eb0

SHA1
af6a6d609a095abc66c753f02b0cb1bc739e6362

SHA256
9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

SHA512
f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

Download Submit
memory/2032-22-0x0000000006ED0000-0x0000000006EF4000-memory.dmp

Filesize
144KB

Download
memory/2032-17-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-16-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-21-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

Filesize
120KB

Download
memory/2032-20-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-19-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2032-18-0x0000000006190000-0x0000000006222000-memory.dmp

Filesize
584KB

Download
memory/2032-28-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2184-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/2184-15-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-5-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2184-4-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/2184-3-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/2184-2-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/2184-1-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download