limerat | 46c414d0da7ab1033ae781c9da1a37914cfbc8eba076f1a77887c69d333daea1 | Triage

Submit
Reports

Overview

overview

Static

static

New-Client.exe

windows11-21h2-x64

Sharing

General

Target

New-Client.exe
Size

28KB
Sample

241214-fpqhpstmgt
MD5

b8813ba4749b8bea32e1ef702ad83c34
SHA1

aa849260f51fe5de7715c7891d2ecdb451d9d64c
SHA256

46c414d0da7ab1033ae781c9da1a37914cfbc8eba076f1a77887c69d333daea1
SHA512

0dee9b0cb061feabf7e19b680da7c937bbb579a372b0cc2c8835124f64488d19bfba7f6f92145e0aaca64ad28f4b9371e89e89e0380821f89c5d1273567df1f5
SSDEEP

768:3pe26nrwtRohTa8X345NjiQshjED80DPAgj:3pGrwtRodzIPBshjEDtcg

Score

10^/10

limerat credential_access discovery ransomware rat spyware stealer

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

New-Client.exe

Resource

win11-20241007-en

limerat credential_access discovery ransomware rat spyware stealer

windows11-21h2-x64

28 signatures

150 seconds

Malware Config

Extracted

Family

limerat

Attributes

aes_key
ashhook123
antivm
false
c2_url
https://pastebin.com/raw/aNRufvVn
delay
40
download_payload
false
install
true
install_name
svhost.exe
main_folder
AppData
pin_spread
false
sub_folder
\Sys\
usb_spread
true

Targets

- Target
  
  New-Client.exe
- Size
  
  28KB
- MD5
  
  b8813ba4749b8bea32e1ef702ad83c34
- SHA1
  
  aa849260f51fe5de7715c7891d2ecdb451d9d64c
- SHA256
  
  46c414d0da7ab1033ae781c9da1a37914cfbc8eba076f1a77887c69d333daea1
- SHA512
  
  0dee9b0cb061feabf7e19b680da7c937bbb579a372b0cc2c8835124f64488d19bfba7f6f92145e0aaca64ad28f4b9371e89e89e0380821f89c5d1273567df1f5
- SSDEEP
  
  768:3pe26nrwtRohTa8X345NjiQshjED80DPAgj:3pGrwtRodzIPBshjEDtcg
Score

10^/10

limerat credential_access discovery ransomware rat spyware stealer
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Limerat family
  limerat
- Renames multiple (7197) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

limeratcredential_accessdiscoveryransomwareratspywarestealer

© 2018-2024

Terms | Privacy