limerat | 066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2

Analysis

max time kernel
595s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools 2.5.exe
Size

95KB
MD5

ea7e08be1070d80d655c888c706e0f24
SHA1

0a306cf100c098860b2af1afc850e6dc82e9a855
SHA256

066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2
SHA512

c049e5ad899ea384876f6d01aa2c53738197f569b9383a49d2c6313929afede9fd555dbb4e524976867d6ad6d3cbdc8278efc9ed42ab3065a4a5e2626fccc8c2
SSDEEP

768:Jpv+6fQwT+Jty6X45Nwy1kdpI1Mr6+jN0eSvH9ZcTyrzgEhR2nsCt7CNFd7mic2g:JpPQwT0forrs5RnC9ZcKOsCtKjb+

Score

10^/10

limerat discovery rat

Malware Config

Extracted

Family

limerat

Wallets

bc1q0gmdxcfwzc5wnfpk36nmvuyqnuhz775nzlassz

Attributes

aes_key
hakai
antivm
true
c2_url
https://pastebin.com/raw/U2Ffc64v
delay
3
download_payload
false
install
true
install_name
Microsoft.exe
main_folder
AppData
pin_spread
true
sub_folder
\Microsoft\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/U2Ffc64v
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	BLTools 2.5.exe

Executes dropped EXE 1 IoCs

pid	Process
4060	Microsoft.exe

Loads dropped DLL 2 IoCs

pid	Process
4060	Microsoft.exe
4060	Microsoft.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
50	pastebin.com
19	pastebin.com
20	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Microsoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLTools 2.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe
4060	Microsoft.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4060	Microsoft.exe
Token: SeDebugPrivilege	4060	Microsoft.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1120	3812	BLTools 2.5.exe	93
PID 3812 wrote to memory of 1120	3812	BLTools 2.5.exe	93
PID 3812 wrote to memory of 1120	3812	BLTools 2.5.exe	93
PID 3812 wrote to memory of 4060	3812	BLTools 2.5.exe	95
PID 3812 wrote to memory of 4060	3812	BLTools 2.5.exe	95
PID 3812 wrote to memory of 4060	3812	BLTools 2.5.exe	95
PID 4060 wrote to memory of 2288	4060	Microsoft.exe	106
PID 4060 wrote to memory of 2288	4060	Microsoft.exe	106
PID 4060 wrote to memory of 2288	4060	Microsoft.exe	106
PID 2288 wrote to memory of 1452	2288	vbc.exe	108
PID 2288 wrote to memory of 1452	2288	vbc.exe	108
PID 2288 wrote to memory of 1452	2288	vbc.exe	108
PID 4060 wrote to memory of 4992	4060	Microsoft.exe	109
PID 4060 wrote to memory of 4992	4060	Microsoft.exe	109
PID 4060 wrote to memory of 4992	4060	Microsoft.exe	109
PID 4060 wrote to memory of 4640	4060	Microsoft.exe	111
PID 4060 wrote to memory of 4640	4060	Microsoft.exe	111
PID 4060 wrote to memory of 4640	4060	Microsoft.exe	111
PID 4640 wrote to memory of 3068	4640	vbc.exe	113
PID 4640 wrote to memory of 3068	4640	vbc.exe	113
PID 4640 wrote to memory of 3068	4640	vbc.exe	113

C:\Users\Admin\AppData\Local\Temp\BLTools 2.5.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1120
- C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1k4zxuws\1k4zxuws.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19FB19E1EABF40A08CE8B8B8CF1578CD.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1452
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uzfkdb5w\uzfkdb5w.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4992
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xbqevu0\0xbqevu0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES20CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2BFAD73919D4D8DBC9EB2B56EC95226.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0xbqevu0\0xbqevu0.0.vb

Filesize
241B

MD5
306dd1f4e3d074b3e3d13a4da7a686e1

SHA1
a5ace9a32a980487345dc982e64da78d2bc5fc4c

SHA256
4967dee03e98fd113697d371af7d2a7ba42589a73618cb3b3811131621369bab

SHA512
2eb94a475ae9cd5e7b74c5286ebf616b71c1cf171c4c4feea4ed68bd0d6acc373d5b6a2cef7f7bb9cbc5ab6f7dad16e14de7e7dec9c5cedf548725795391bbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xbqevu0\0xbqevu0.cmdline

Filesize
295B

MD5
4b266dc67b1f3c3eb361737a81b2e641

SHA1
28b5b5bc754981b07633ed9f67c9ca52437c2007

SHA256
c767f638a330fe4dbe3231ded83f4aa5a4547941c07bf81694492cb2a1e12b3c

SHA512
11d354b7f0de4e0bd34393467712393bf6c5ff8be8bd9322a2ae062e3bba6ffd88c3ef321a58aa20984be3b7013d1e8902481ffff1cbcc12f46e570c7b726388

Download Submit
C:\Users\Admin\AppData\Local\Temp\1k4zxuws\1k4zxuws.0.vb

Filesize
234B

MD5
00eb2e94f2e81bbd4f3788969fc7d31e

SHA1
4a82390bff5eae7c710f7147fdba7b080491ce2b

SHA256
7df0ce4286fcd2766710748a12d7226b945db1ec022409469638edbb6a3513cb

SHA512
ce041621b884f66492da392687f3c84d06d7325ecacbc5d37352a771878a58944255d89ab5a7200c4887cfa47f7db5325f1e6e6085eec5fe79a661b0e0bd14c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1k4zxuws\1k4zxuws.cmdline

Filesize
282B

MD5
c1e9c442bc3c332ca133a2cbacc0c167

SHA1
fca689a30ac42e822a1befdba23232ae5e79eeb0

SHA256
e9d139cddf9c67f1c30f5e89fee09d1e5f6bf3cef2f43eead41f30192c135185

SHA512
14488bd67acdcb5a800fdde3b2e19609b9f8b6df393eab82c875144ecf8fa6dc74015cb4bd787d8696ab11dfd38a85435d326b0e7bd718c3319d6eb45d10767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1F84.tmp

Filesize
5KB

MD5
e799b39d9e6e97f100d7606da94fc37d

SHA1
6dbfc489cbe002944ba8b9f70ebc918ca9d410cb

SHA256
819c171746d2656b3c384e56a0ba50d206f181f209f9f5d27d068874c282a84d

SHA512
ce03921cc6e6ac9a05286351bb653666135090609f25d086f926b306c53dfb90ca91dd00116e612fa06158ea202f9d82d6b62b663d4a3a30999453b6246bcd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES20CD.tmp

Filesize
5KB

MD5
477ba3ce505621ecdf9b155ea8516104

SHA1
98c107aed0048a1f3a2a344e78707e04bb74d01b

SHA256
a3104b05de3fac0c61b88b7ae4fbab3d3268abd2839bc59f298c70fd24d6ce38

SHA512
707440b6312b14a77743f88176d4a30898510b7902ee2d379d3832733d9146de50a21d7393afa266f27c2e1e6bf95ff51651a3bc59c198c77e81397faccec4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzfkdb5w\uzfkdb5w.0.vb

Filesize
240B

MD5
8234056a00797d48ee381512ae885439

SHA1
a01390a6c6b341d37b08461e929bf5934ba58749

SHA256
1566874c89e204239e04a59451aa0e55b5468be968dceeef8f3b0b5c9b03a058

SHA512
2287f7fbe92e1867b5abebe52fe98b9442ca971d8e40ba1012d02a24628746555c2224f4fba248fdc0a62c0f1759e3b9a6efc5efd40f24062af1591d75fa8ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uzfkdb5w\uzfkdb5w.cmdline

Filesize
293B

MD5
6f7668b0624c0eea5ea81d8ddac9c972

SHA1
09747eee673957d04668e8b70700e1fd50b06e93

SHA256
bbbfdd9930ba2457b3a0aa1593be096f5962a347194b34c0b2f0169afe15c73d

SHA512
af251dc847c7790bd72bb47034dba8d9e1d98cd66f88feb17891a42c6fe37a01466a88b070f28a600000993010101b667b9e61c73dac3adf64ddf6aec6de7ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc19FB19E1EABF40A08CE8B8B8CF1578CD.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2BFAD73919D4D8DBC9EB2B56EC95226.TMP

Filesize
4KB

MD5
4162c05f88e8459f843325fddd58b73d

SHA1
585a582f7c4d9b218d68ca18d6cf46801b1db4fe

SHA256
3ffa4819f285544e028ad56d2ade2bf07599d569bb925812a0566deea7ae17fc

SHA512
cc2d732fe8f925df5d9c03b5f237dcbb5c9ca93d0878b2b29bbc635e9daec32a460e45510088831fd3e00015e01649df2b378db4a982f536cd1f1beabc102af1

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\MicrosoftEdge.ico

Filesize
4KB

MD5
dfe08c8c6e8e1142309ac81d3ea765ec

SHA1
da81d0b263ca62dcc2deab48835cf1dc1e8dac0a

SHA256
04d17515c60ac7ec901b27e116fd1a965f529dcb20b3609df5b3cb58cff8e456

SHA512
2b4f91df4b9a75df3e7fc50733b795adaafc4d8ae323339fbb9a38309c6898a6b877f6fa6a2cb476f661d80a5f1969b284deef5c0a4439b221ddd8750bb102ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Microsoft.exe

Filesize
95KB

MD5
ea7e08be1070d80d655c888c706e0f24

SHA1
0a306cf100c098860b2af1afc850e6dc82e9a855

SHA256
066cc1f77311bb6532cd2fe87e20487dd5dac8a2b0749c85ec7b85a03acfc2b2

SHA512
c049e5ad899ea384876f6d01aa2c53738197f569b9383a49d2c6313929afede9fd555dbb4e524976867d6ad6d3cbdc8278efc9ed42ab3065a4a5e2626fccc8c2

Download Submit
memory/3812-16-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3812-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/3812-5-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/3812-4-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3812-3-0x0000000004E00000-0x0000000004E66000-memory.dmp

Filesize
408KB

Download
memory/3812-2-0x0000000004D60000-0x0000000004DFC000-memory.dmp

Filesize
624KB

Download
memory/3812-1-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/4060-15-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4060-28-0x0000000001430000-0x0000000001446000-memory.dmp

Filesize
88KB

Download
memory/4060-22-0x0000000007AF0000-0x0000000007B14000-memory.dmp

Filesize
144KB

Download
memory/4060-21-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

Filesize
120KB

Download
memory/4060-20-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4060-19-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/4060-18-0x0000000006D20000-0x0000000006DB2000-memory.dmp

Filesize
584KB

Download
memory/4060-17-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download