limerat | 066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2

General

Target

BLTools 2.5.exe
Size

95KB
MD5

ea7e08be1070d80d655c888c706e0f24
SHA1

0a306cf100c098860b2af1afc850e6dc82e9a855
SHA256

066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2
SHA512

c049e5ad899ea384876f6d01aa2c53738197f569b9383a49d2c6313929afede9fd555dbb4e524976867d6ad6d3cbdc8278efc9ed42ab3065a4a5e2626fccc8c2
SSDEEP

768:Jpv+6fQwT+Jty6X45Nwy1kdpI1Mr6+jN0eSvH9ZcTyrzgEhR2nsCt7CNFd7mic2g:JpPQwT0forrs5RnC9ZcKOsCtKjb+

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes

aes_key
hakai
antivm
true
c2_url
https://pastebin.com/raw/U2Ffc64v
delay
3
download_payload
false
install
true
install_name
Microsoft.exe
main_folder
AppData
pin_spread
true
sub_folder
\Microsoft\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/U2Ffc64v
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Executes dropped EXE 1 IoCs

pid	Process
2776	Microsoft.exe

Loads dropped DLL 4 IoCs

pid	Process
3000	BLTools 2.5.exe
3000	BLTools 2.5.exe
2776	Microsoft.exe
2776	Microsoft.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
10	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools 2.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe
2776	Microsoft.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	Microsoft.exe
Token: SeDebugPrivilege	2776	Microsoft.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1476	3000	BLTools 2.5.exe	30
PID 3000 wrote to memory of 1476	3000	BLTools 2.5.exe	30
PID 3000 wrote to memory of 1476	3000	BLTools 2.5.exe	30
PID 3000 wrote to memory of 1476	3000	BLTools 2.5.exe	30
PID 3000 wrote to memory of 2776	3000	BLTools 2.5.exe	32
PID 3000 wrote to memory of 2776	3000	BLTools 2.5.exe	32
PID 3000 wrote to memory of 2776	3000	BLTools 2.5.exe	32
PID 3000 wrote to memory of 2776	3000	BLTools 2.5.exe	32
PID 2776 wrote to memory of 3020	2776	Microsoft.exe	33
PID 2776 wrote to memory of 3020	2776	Microsoft.exe	33
PID 2776 wrote to memory of 3020	2776	Microsoft.exe	33
PID 2776 wrote to memory of 3020	2776	Microsoft.exe	33

C:\Users\Admin\AppData\Local\Temp\BLTools 2.5.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.5.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1476
- C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\b0pbjtwq\b0pbjtwq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b0pbjtwq\b0pbjtwq.0.vb

Filesize
240B

MD5
1f1af8f429584fc410d2da70f436be72

SHA1
96ff34a1736c316300c91b7dd72c7945ebfa8589

SHA256
ab39aae396a438209d43338076703285624a08462b1464b186294058478550ac

SHA512
50ad67113ea8b91bc65a9c0e6ff1c8202da863cd1f347e69eb8aec4cd25afc2d2df6f1c79f853dd9c2132de856f0a5ce772a94d9b78c3cedc67c1703ece68a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0pbjtwq\b0pbjtwq.cmdline

Filesize
293B

MD5
3fbe2f24417cf7e0c6ad86485b129e06

SHA1
10f87da8ed3b5d943a883b63be9881c9fa4ff668

SHA256
effd61ad651dc1e90443150473ba898e573ea9f9f3493a5233e02a906c9977e5

SHA512
568eaea380e5f3dc133d9d5c88915f87ae09078613baa5422b1190cf12be7b511fc009049f8b12f5ad7622f11422ee8f1db41011e611a80a5d60abdb957a7ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe

Filesize
95KB

MD5
ea7e08be1070d80d655c888c706e0f24

SHA1
0a306cf100c098860b2af1afc850e6dc82e9a855

SHA256
066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2

SHA512
c049e5ad899ea384876f6d01aa2c53738197f569b9383a49d2c6313929afede9fd555dbb4e524976867d6ad6d3cbdc8278efc9ed42ab3065a4a5e2626fccc8c2

Download Submit
memory/2776-25-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/2776-15-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-16-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-17-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-18-0x0000000000680000-0x000000000069E000-memory.dmp

Filesize
120KB

Download
memory/2776-19-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/2776-14-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/2776-12-0x00000000008E0000-0x00000000008FE000-memory.dmp

Filesize
120KB

Download
memory/3000-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/3000-13-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-1-0x0000000000110000-0x000000000012E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads