limerat | 9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools.exe
Size

29KB
MD5

3a946215b3e2a3d8de77764e999a0eb0
SHA1

af6a6d609a095abc66c753f02b0cb1bc739e6362
SHA256

9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e
SHA512

f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f
SSDEEP

384:TB+Sbj6NKoxA6bcAHL054fqDghmq61avDKNrCeJE3WNgr50dAkCtQro3lc6rxsjr:dpoS6bcwLwqhC1445N86dIR+j

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes

aes_key
hakai
antivm
true
c2_url
https://pastebin.com/raw/GmxD75vS
delay
5
download_payload
false
install
true
install_name
MSVCHOST.exe
main_folder
AppData
pin_spread
true
sub_folder
\Microsoftt\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/GmxD75vS
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	BLTools.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	MSVCHOST.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	MSVCHOST.exe
2900	MSVCHOST.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
21	pastebin.com
22	0.tcp.sa.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSVCHOST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4048	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe
2900	MSVCHOST.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	MSVCHOST.exe
Token: SeDebugPrivilege	2900	MSVCHOST.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 4048	876	BLTools.exe	92
PID 876 wrote to memory of 4048	876	BLTools.exe	92
PID 876 wrote to memory of 4048	876	BLTools.exe	92
PID 876 wrote to memory of 2900	876	BLTools.exe	94
PID 876 wrote to memory of 2900	876	BLTools.exe	94
PID 876 wrote to memory of 2900	876	BLTools.exe	94
PID 2900 wrote to memory of 1608	2900	MSVCHOST.exe	99
PID 2900 wrote to memory of 1608	2900	MSVCHOST.exe	99
PID 2900 wrote to memory of 1608	2900	MSVCHOST.exe	99
PID 1608 wrote to memory of 1056	1608	vbc.exe	101
PID 1608 wrote to memory of 1056	1608	vbc.exe	101
PID 1608 wrote to memory of 1056	1608	vbc.exe	101
PID 2900 wrote to memory of 3660	2900	MSVCHOST.exe	102
PID 2900 wrote to memory of 3660	2900	MSVCHOST.exe	102
PID 2900 wrote to memory of 3660	2900	MSVCHOST.exe	102
PID 2900 wrote to memory of 3968	2900	MSVCHOST.exe	104
PID 2900 wrote to memory of 3968	2900	MSVCHOST.exe	104
PID 2900 wrote to memory of 3968	2900	MSVCHOST.exe	104
PID 3968 wrote to memory of 4620	3968	vbc.exe	106
PID 3968 wrote to memory of 4620	3968	vbc.exe	106
PID 3968 wrote to memory of 4620	3968	vbc.exe	106

C:\Users\Admin\AppData\Local\Temp\BLTools.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4048
- C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe
  "C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\x3icgkik\x3icgkik.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc34157F1152F4AE9AF4992C21784CC7.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1056
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\glfw1kgr\glfw1kgr.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3660
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5mveako0\5mveako0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEFC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6753FDDA1C4746F3B41FA68AC7CEA.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5mveako0\5mveako0.0.vb

Filesize
241B

MD5
4650453124557070c8886528c316fcd9

SHA1
ab65aeb9d8408c9575cbc7f68e9d2d3c0b959bef

SHA256
315a39aaf170396f3cd4c03b85b90c2dc765955da97ae16b0a92984bb37173da

SHA512
eb38d19e4cb81a0a5173633c13c257e466e2543e7ff9aeba21a90bccb58c3c50bb52f6454b77a5eeabb8548f0979c7d606f23487350ef2e2f502b85df4a06b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mveako0\5mveako0.cmdline

Filesize
295B

MD5
21bedecbf24133cb899ad27248b76aaa

SHA1
0ab568be8e5af612240e2a214ba1d81957535fb6

SHA256
5e69299b3618816f14a171d410cf3254a31aadcadc37cb9192ccf5ab75a57814

SHA512
e2af223234ff5904825b9759bf220aba926a195415aa34abb9a8491341ab1a89a6e413999137ea12cef54e1f6c195f4d8924dc55a14dd514e5e9b77c55ffd3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD66.tmp

Filesize
5KB

MD5
e1a00efb79ed27990e7e37e6c33badda

SHA1
a1a1133782613ce8e291755f7d345e1fdeeb6e5e

SHA256
8ec2a88dff3fc3ae66b30608cd2a85ea611ba7423f9fffc9c7eedebedf7a6bc9

SHA512
1d4638e564291e14eaec4ce8e10ccdfca3a60dbfd0f3bc8b9c6b7b8832271fb0e72f966aca9fb2e4c1773066e03865b939f57fd1a200d9260b863615cc99364c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFEFC.tmp

Filesize
5KB

MD5
1619132829cb619c84634a79525447ae

SHA1
a395ba0a28dbeeb48a99030fc975c3d6a542691e

SHA256
cf00c19beb1e32f03b76687a7745fd7441458bc7dc323b4e73d064e634cd7bf6

SHA512
85a9a7b50d231522afa28d8646fa432c34f77e47575157ff3bc22a16545fdfe0889f0f1bc599737f8fd942c4b65aacf47cda932427d587a9d7fc983572403126

Download Submit
C:\Users\Admin\AppData\Local\Temp\glfw1kgr\glfw1kgr.0.vb

Filesize
240B

MD5
7978cea9541fde125a7dd26644db3e48

SHA1
ce2dad49009038abcb569a2b57b7447ae38a5af7

SHA256
6fe9a5d4495049e18707d7b41ee8ca141a7a627a75ddd959db56da71916b79d6

SHA512
9417a63c577d2b3883b07cc0a26e6172ee97c0539e03518251cc7f485515baa780eeceafbe971fa540d4d6e20e56a98b6e1538e7bfa51f0d96dca323be2320a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\glfw1kgr\glfw1kgr.cmdline

Filesize
293B

MD5
5232651dc784bce9c2642f091b7714ab

SHA1
c83841d6e3040f332797a5aa818f237abf46621a

SHA256
3af02b91a50d9ae534ce0cb974c463a6ea30cbf257da02c3e2ed73a1c62f2fd1

SHA512
f46c98ee01bb0e73d6705dc07e58216b0a560edfa681cd17069c35c151244d34e78c0e0f1b027fce97d9cf4f061a34669b0e753b572dd956aa4d84b2f9553512

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc34157F1152F4AE9AF4992C21784CC7.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc6753FDDA1C4746F3B41FA68AC7CEA.TMP

Filesize
4KB

MD5
4162c05f88e8459f843325fddd58b73d

SHA1
585a582f7c4d9b218d68ca18d6cf46801b1db4fe

SHA256
3ffa4819f285544e028ad56d2ade2bf07599d569bb925812a0566deea7ae17fc

SHA512
cc2d732fe8f925df5d9c03b5f237dcbb5c9ca93d0878b2b29bbc635e9daec32a460e45510088831fd3e00015e01649df2b378db4a982f536cd1f1beabc102af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\x3icgkik\x3icgkik.0.vb

Filesize
234B

MD5
7bc26c2e5038c5244f7001873aba258b

SHA1
89c5fa5b8e2eabdbc3100c5c8701685db6e1b1f6

SHA256
85aebccff013f6a683f182e2890b7e169b608862174e4943bde72f14454d1aca

SHA512
387ee971c9fbe4c8a3fe6d5e05606c32fc5217ddc22b3a5972960faf017464768453e95992134095dd508c15618a881d3b226b4c3f2182a267ef56cff42fdd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x3icgkik\x3icgkik.cmdline

Filesize
282B

MD5
89c2bc89dea6c3070b742262d27859c4

SHA1
1696a0285c0f78f0708f1c529a57b18130cf5ef9

SHA256
13f217d62d3df8ea86e0f4f076a9f195744cf0065ab61abd7b4131774aabb4fe

SHA512
a20d531f3a950493e101c829dbee87a1b8372881abae04e2a92a13735dd42061d989d5c8e4f785fafa690c6505285bb688d6c80e1be2bbc278d7fe1b77b370c0

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\MicrosoftEdge.ico

Filesize
4KB

MD5
dfe08c8c6e8e1142309ac81d3ea765ec

SHA1
da81d0b263ca62dcc2deab48835cf1dc1e8dac0a

SHA256
04d17515c60ac7ec901b27e116fd1a965f529dcb20b3609df5b3cb58cff8e456

SHA512
2b4f91df4b9a75df3e7fc50733b795adaafc4d8ae323339fbb9a38309c6898a6b877f6fa6a2cb476f661d80a5f1969b284deef5c0a4439b221ddd8750bb102ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoftt\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoftt\MSVCHOST.exe

Filesize
29KB

MD5
3a946215b3e2a3d8de77764e999a0eb0

SHA1
af6a6d609a095abc66c753f02b0cb1bc739e6362

SHA256
9f790fcb2105613d714b4adcb34572d0bba62d2f6dbf72b22bb054779695b05e

SHA512
f769b23b1b69eda41caa4021f0eb189ffb832ab65e90f527893af63cd9e893be61522e3ffaca9d76ba09d3fb0638622b212e097e884d747a32a0ccbbdc8deb4f

Download Submit
memory/876-16-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/876-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/876-5-0x00000000064B0000-0x0000000006A54000-memory.dmp

Filesize
5.6MB

Download
memory/876-4-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/876-3-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/876-2-0x0000000005730000-0x00000000057CC000-memory.dmp

Filesize
624KB

Download
memory/876-1-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/2900-15-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2900-28-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/2900-22-0x0000000007530000-0x0000000007554000-memory.dmp

Filesize
144KB

Download
memory/2900-21-0x0000000007510000-0x000000000752E000-memory.dmp

Filesize
120KB

Download
memory/2900-20-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2900-19-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2900-18-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/2900-17-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download