limerat | 13a21602d5f5fceadfb7e45828fe76a44dc2dab2932fed665938715af574be9d

Analysis

max time kernel
99s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-01-2025 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MuRra1N Installer.exe
Size

15.7MB
MD5

037ac0e6baf12a5eaf477c48fe923f2e
SHA1

19cadd63865579f4f7ceee970c731d9ff0e5a20a
SHA256

13a21602d5f5fceadfb7e45828fe76a44dc2dab2932fed665938715af574be9d
SHA512

70f80fc9bd3c9b163d694376b294619810099146b09b0bf479e5435001758bbe9450ba72766e4cdb873e68c205d9f85df6fc4129f33f7043fc90f86bc4c4e5b0
SSDEEP

393216:5NqIqvpE65+X2WPccsW9DM27doT6VWD2Ln9CDuIuLGgvKcE:50i6UmGM27mmsAn9C6fGgv/

Score

10^/10

limerat defense_evasion discovery rat

Malware Config

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2544-2-0x000000000B530000-0x000000000C89E000-memory.dmp	disable_win_def
behavioral1/memory/3440-63-0x0000000000C50000-0x0000000001CC6000-memory.dmp	disable_win_def
behavioral1/memory/3440-64-0x0000000000C50000-0x0000000001CC6000-memory.dmp	disable_win_def
behavioral1/memory/3440-81-0x0000000000C50000-0x0000000001CC6000-memory.dmp	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MuRra1N.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MuRra1N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MuRra1N.exe

Executes dropped EXE 1 IoCs

pid	Process
3440	MuRra1N.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2449540194-3226363261-2578591490-1000\Software\Wine	MuRra1N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	iplogger.org
33	iplogger.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3440	MuRra1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuRra1N Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MuRra1N.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	MuRra1N Installer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2544	MuRra1N Installer.exe
2544	MuRra1N Installer.exe
3440	MuRra1N.exe
3440	MuRra1N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2544	MuRra1N Installer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	MuRra1N Installer.exe
Token: SeDebugPrivilege	3440	MuRra1N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3440	MuRra1N.exe

C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe
"C:\Users\Admin\AppData\Local\Temp\MuRra1N Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3596

C:\Users\Admin\Desktop\New folder\MuRra1N.exe
"C:\Users\Admin\Desktop\New folder\MuRra1N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\FindSplit.i64

Filesize
856KB

MD5
ebbffac026869be8811d37d9efe03a48

SHA1
14baba0e0d272401bdbb5a49f1a51e906534dcb7

SHA256
0228439a92ac9478479b6ddd105732b01794dd66e0c4edbc2b0628e6dc235b76

SHA512
47af5d2057f8d67ed3b844a89b94427dca1e4c9589782147eef76b8850331ba5b1b2f9d2a718fb98c3e976ccf16c36ed8dfca998c87f60996fa6306071147f39

Download Submit
C:\Users\Admin\Desktop\GetExport.ico

Filesize
634KB

MD5
2468ab7cede3b25eec7cc7754f04b6cd

SHA1
0f8d58d385501e9f7d6930caee6ba512635bcc0c

SHA256
56549d1ce59d3e496d66f22787dd00fe6baa15ecfca03d0c0f6295b8502018d3

SHA512
a434c3d5f48d6817def540eca97c4f66c372fd6cc176b4b42863d4a4b58dcaf0e4e994806b7fd902e3805634bd1b08954ad8498622ab17f989a95ebc4bf3a541

Download Submit
C:\Users\Admin\Desktop\GetUnblock.bin

Filesize
729KB

MD5
769d2f7417d96706bde350e6742d3801

SHA1
2766cdf23d3c8a38cf3b2aa7584ea90c6348e25d

SHA256
d7f38a1a9f2126bff494633b35159781423196c03fff63f5a37960b309a856ce

SHA512
1807dbfc3489efc67802eb9a936e962a9e9de38a867ce940c5aa41f735d4edf0ff1fc0de1da7f65727ebd52693c913f354b6f4da045b782aa26f4f38c322d587

Download Submit
C:\Users\Admin\Desktop\GrantRepair.html

Filesize
983KB

MD5
4e2cf56d91ba26648bdab4e808fec945

SHA1
6a14b798254f5dfef7d4cc3897626439080839b0

SHA256
fe7e55094b056b7c9a634737c335171414edf94349018f195c5774cadb367411

SHA512
3c2eab16cca0e032a92093ba250e70ac19cd3dad8094300e9a707902dfaa8dc14bb04f17251c11908b54ec3209f1600593158af01e4bf1feaf086769e2994c15

Download Submit
C:\Users\Admin\Desktop\GroupBackup.mpeg2

Filesize
444KB

MD5
0c2f9380e483c6ad1ddee6a36edb85cb

SHA1
7781292948be47cb1aff58f105e126facc15916a

SHA256
3e837418337f69ba6f12ef32225c19d698b7859a81c0567e73947a314bb6ebe9

SHA512
6dff1a075da0ea320e0eb6788d65822919df7d56e1c159a7ebf322ad9d383ff7365a5d4f729166480d9cec49ccd859b9f4cc75daa53a78755cd063d53b163779

Download Submit
C:\Users\Admin\Desktop\InvokeBlock.xlsx

Filesize
12KB

MD5
c4fea173b412b71d21ac427fb98416cd

SHA1
4397909b70ebf5c657a3a7690389928daced1e03

SHA256
a65abb9f91d580db2442f8f89bca1aec710b8e9e652931a23b1f368f2be69d7c

SHA512
2928b661cd3ebd26868d0a5fdb291bdc0cfd1252a061887dd45b6a52877a5d7c2d5ffe4b9ef22d48ca2b9710928887bb07f63467d17ce1282f9cfd986a23ad23

Download Submit
C:\Users\Admin\Desktop\LockSelect.xps

Filesize
602KB

MD5
0800a6d6d3267ad0575aa5b21dc182cb

SHA1
ecbf09564975f15d24f6bd3c3eb1e745c48cca9b

SHA256
92f4b4bcab4e053355b0ef547b06b5e8e7064edc5fbd2d3e25ec9843c115ddbb

SHA512
7d369ad322a9467ac31ea24791b7656cbe3a4afd57a887391f8d5b80f39b7d996ea44bdec6f4eff0882370a43b6b4641f182f726c37e0f1b879fce5caddfe5af

Download Submit
C:\Users\Admin\Desktop\MeasureDismount.docx

Filesize
19KB

MD5
abc40d17bb9aa2538595c0b9f0ab95ed

SHA1
003cf9d9c35d2acaf223feca0df74ecc791bbd25

SHA256
f9db8eb751b4ad68dd5ef0c8d60b92e1ecf91321a2a3722e6309806a3c80dcd8

SHA512
c51bde1e931ec560cc51973f4a06c6e173f616943a94131c53446260293fea8446debb313b634faf7b69edb732e6aa3e665b08f585de7b010e3ce035309d3e9f

Download Submit
C:\Users\Admin\Desktop\MountMove.exe

Filesize
666KB

MD5
0d9cb12ad34632ad9d15e338868e3eb8

SHA1
ec759a7daf3a153e19353c3bc6eb501a8ee88c5d

SHA256
f01f0f9e6dbfec859ceadd225e4ae5a0f00235ca0a950961f34d3af32e08ede1

SHA512
9bdb95b39a4ba6d4ebe3ad6ed48574cb1c56abf3c5c8298d7a192cabd14750a055a5d1e9a227eb0bb1dbd82baa61be7f59aac0206ece4fddc940ada0011b05db

Download Submit
C:\Users\Admin\Desktop\MovePush.ogg

Filesize
380KB

MD5
6ad326f69d823304d2062165d55188d8

SHA1
9997773874f493bd2f3dcb8c2f04bf004638acef

SHA256
e5011e852351faa0a1d78303968690d3a7ec485df2a9f95852cfda53253eef9c

SHA512
9903e8c4f4981cf8a7fd0da52a3946d4474d785f5f2baf0c3be8fac177aa153d6bf2ff83e572def67399c9c7b75fc16c9bfe5c933891a9967b3b5ed3e31c94b2

Download Submit
C:\Users\Admin\Desktop\New folder\MISC\PORTS.dat

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\Desktop\New folder\Misc\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\New folder\MuRra1N.exe

Filesize
9.8MB

MD5
29cfe05afad44fdbc83fa3671891688f

SHA1
429de9b3429abd612c7c8343614c62e17ff4130b

SHA256
1479cd2a1a05c905f63483a40d9ec251f044161a81fb585e4d7d469b7bc291af

SHA512
c749c45924d4059f30ba918b31856cea7b6c74e4ebd982dc2dd05c3de3a30014ac38e45eeb796c447450bb07e02c2da00c61126709995ff4ff3bf0266ad842e5

Download Submit
C:\Users\Admin\Desktop\New folder\MuRra1N.exe.config

Filesize
9KB

MD5
1d1c996b6ff660cdb29884546d94d7f5

SHA1
259123cf0e5bfeba4a44704858751042f1b036c4

SHA256
7ed841b0dfa126544b3f115a70584a2a6b0e3772b937ae1f3217339cbdf899c7

SHA512
825e1ad2696d1516714c619a1a2187ffa3b34dd4d6d231ed7d2abb1493fdbc601417935ac8ac7d7abecf6ad920210a88d5a8c1831d4194392aa0f771c6e63e58

Download Submit
C:\Users\Admin\Desktop\OpenCopy.xlsx

Filesize
10KB

MD5
1dbbcd1d77a099492abcc5def0939ee6

SHA1
4598e1ba2b1276df5f8bb3090cbf2bf643da904d

SHA256
20b579c80c9e6e63001bf6b0d8180bdaa8a991e8f3eac8af2dba5767fb8f2649

SHA512
9367b17abe236fa690a1c51a1e661e0e5dc7248ba61156c5cf298479206e07694e5778d05c60f3fbeb17e37b743f9f59d3c6d3b3fe636beb3b34b64a5a24d48a

Download Submit
C:\Users\Admin\Desktop\PublishCompare.htm

Filesize
920KB

MD5
5c508a0b836dae5488fca5cbb35b16b1

SHA1
7ad4a6c8b58001732dccf5fd6c8db089c424e91e

SHA256
3230fffe0b0e8652ae067f8b9374dc3eb538a707a4f138bde852566aa95772e6

SHA512
690f1aeaf2d08939e55f91ce8cf52c897b18c3a4187981ff071dcb18711ec9d12c3440f92a2d01c60a54038e81692aa727532ed0fc693165e0ebb7f842de50a8

Download Submit
C:\Users\Admin\Desktop\ResizeDeny.vdw

Filesize
507KB

MD5
1cbbdfe7b2e89e71d23aea92904968a8

SHA1
6e34fcd7c6e0ee30fd4ad93c38676b5c5ffe1473

SHA256
ce2787839de4c1ecb93db0569a1a73f39ac953f5dd0144fd01c3131165bd9955

SHA512
ede1de9200b8850a87354769db96072eca9455126c9bd75005d1d8fa328e9782f95eee6e2c550884749eeedd74edb60ee061208e8035a2eed7d6bf9f7763ca3a

Download Submit
C:\Users\Admin\Desktop\ResumeDebug.svg

Filesize
539KB

MD5
dbfeffaed6ba3be5c69db5f365105a86

SHA1
6aa388851544254ab51445b84379eb211a538a1a

SHA256
5b4a0cb30caf288c5fa5589c365fac7f17c06fbfd15c4252c11218dbfa457fc2

SHA512
d19c065ce8ec3ef44020eb587a5eda87b41d603a09e4c775bf22bdd3ac96477e7122071dbbfe9463f17fefafc608e5a52f134713272fa927dd952c14e065811f

Download Submit
C:\Users\Admin\Desktop\SearchUnregister.mp2

Filesize
571KB

MD5
30925e7d2fcbe97b35530aa5cb6ee790

SHA1
0990dc847b3e75aae9e4ee357adc1b98afa3a68e

SHA256
278ae59cc82cf18dde38ee37b015ae0cfce5527c5c14047dc20a9a5c3870df24

SHA512
dcbd2a631d61ed4483fe3baee6bbbfa36154bf68a3ddf7f81e7a5420ed4f4b6f700a77f4dceee871673240675572a4d32b41e10acf5ef80c4e12c55e84a84c50

Download Submit
C:\Users\Admin\Desktop\StepRedo.emz

Filesize
476KB

MD5
34321a685bd70310fc488440bc060cf0

SHA1
1f3a13b31f008c97d649468d2a8706963f39d60e

SHA256
9ee2746f99d59c2cdd3335584db73344a4445e34cbcffb412b9dee48ed7d6be4

SHA512
324f8937e14db4e992d04c549a4f941b4ce4495d26d5ad24652262e47e1efaccef9dd456658692ca75608b6da12e049995c0516ad16269a774b7caaa8edeb537

Download Submit
C:\Users\Admin\Desktop\StopClear.eprtx

Filesize
412KB

MD5
9b7eef01009d87e6c437661f99f8d1ac

SHA1
2b6547e1e0e42fa0b60850b77bac44ef4e59db88

SHA256
ca33699fc5c82241146cd851831daa3fc985232b4804d1260c069a3a890aff4e

SHA512
8e8cadadcce30a14065946e2e494548af45a293188e7318926e2562a6dcc554368bd35520a97e6f78f534d72b81eaaac471065c039ec14664d93d1373899e4a4

Download Submit
C:\Users\Admin\Desktop\SuspendRevoke.ADTS

Filesize
761KB

MD5
db825ed30d98e4966c66fb0f4ef24738

SHA1
6fc1f1e374eb0a95a6d9d1d2ff259f358b3bc0a4

SHA256
3d0a5cc4e311d8674c1d652d74ae5d7b2b1a699382cef4a83512f21aa6416d04

SHA512
3eeb584b081e8a898f94db15f4554897dc632ad950caf1467ac3a26e5fc8d1f73395fe6abb511f18c02d17d9d1dc2fccee3d289846dccb60cccff1dda6330a3f

Download Submit
memory/2544-29-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-0-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/2544-24-0x0000000009BC0000-0x0000000009C52000-memory.dmp

Filesize
584KB

Download
memory/2544-25-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-26-0x000000000A330000-0x000000000A338000-memory.dmp

Filesize
32KB

Download
memory/2544-27-0x000000000AAB0000-0x000000000AAE8000-memory.dmp

Filesize
224KB

Download
memory/2544-28-0x000000000AA70000-0x000000000AA7E000-memory.dmp

Filesize
56KB

Download
memory/2544-22-0x0000000009610000-0x0000000009BB6000-memory.dmp

Filesize
5.6MB

Download
memory/2544-30-0x000000007515E000-0x000000007515F000-memory.dmp

Filesize
4KB

Download
memory/2544-31-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-32-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-23-0x0000000009140000-0x00000000091DC000-memory.dmp

Filesize
624KB

Download
memory/2544-83-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-3-0x0000000075150000-0x0000000075901000-memory.dmp

Filesize
7.7MB

Download
memory/2544-1-0x0000000000650000-0x0000000001606000-memory.dmp

Filesize
15.7MB

Download
memory/2544-2-0x000000000B530000-0x000000000C89E000-memory.dmp

Filesize
19.4MB

Download
memory/3440-65-0x0000000008250000-0x000000000825A000-memory.dmp

Filesize
40KB

Download
memory/3440-66-0x0000000008400000-0x0000000008456000-memory.dmp

Filesize
344KB

Download
memory/3440-67-0x000000000C590000-0x000000000C5F6000-memory.dmp

Filesize
408KB

Download
memory/3440-64-0x0000000000C50000-0x0000000001CC6000-memory.dmp

Filesize
16.5MB

Download
memory/3440-63-0x0000000000C50000-0x0000000001CC6000-memory.dmp

Filesize
16.5MB

Download
memory/3440-74-0x0000000000C50000-0x0000000001CC6000-memory.dmp

Filesize
16.5MB

Download
memory/3440-81-0x0000000000C50000-0x0000000001CC6000-memory.dmp

Filesize
16.5MB

Download
memory/3440-61-0x0000000000C50000-0x0000000001CC6000-memory.dmp

Filesize
16.5MB

Download