limerat | 18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3 | Triage

Sharing

General

Target

New-Client.exe
Size

28KB
Sample

241130-rje1kawkfs
MD5

42dd04b2c91e0b8c4b6c676c0bf067bc
SHA1

8fb5c885299eb1fb4c93e76cc7172058a347c48b
SHA256

18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3
SHA512

24cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e
SSDEEP

384:GB+Sbj6NKsHU637AHteXnmqDvDj63XjUQvDKNrCeJE3WNgtTKNnqgqoXiuQro3li:8ps0637wtexv6nQe45NDNnhqVUIj

Score

10^/10

limerat discovery ransomware rat spyware

Malware Config

Extracted

Family

limerat

Attributes

aes_key
ponontop
antivm
false
c2_url
https://pastebin.com/raw/U06jyvTy
delay
3
download_payload
false
install
true
install_name
sus.exe
main_folder
AppData
pin_spread
true
sub_folder
\sus\
usb_spread
false

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/U06jyvTy
download_payload
false
install
false
pin_spread
false
usb_spread
false

Targets

- Target
  
  New-Client.exe
- Size
  
  28KB
- MD5
  
  42dd04b2c91e0b8c4b6c676c0bf067bc
- SHA1
  
  8fb5c885299eb1fb4c93e76cc7172058a347c48b
- SHA256
  
  18dfa73375b80be2a9651411bdd5c4735c9738af35f086f426584ee2776d9fa3
- SHA512
  
  24cc5f837445c1ea3cb9c39f66186d2be23674444f6a46df296a4a0538aa5fa4bde6ad4251bc8adc74dfc5689576763e592d0713a303e8a2f7828b2bf4b34b2e
- SSDEEP
  
  384:GB+Sbj6NKsHU637AHteXnmqDvDj63XjUQvDKNrCeJE3WNgtTKNnqgqoXiuQro3li:8ps0637wtexv6nQe45NDNnhqVUIj
Score

10^/10

limerat discovery ransomware rat spyware
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Limerat family
  limerat
- Renames multiple (1023) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

limeratdiscoveryransomwareratspyware