limerat | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/eLa1r6q.exe
Size

28KB
MD5

15e27b66a793a187332608a4308395db
SHA1

3d35e1afd2ec15bfe99421b16a564b85f80a1a21
SHA256

c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f
SHA512

2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4
SSDEEP

768:JpW26eWrwugABZ445NwzQbF45rXupSUj:Jp/WrwuVrFkzAFkXCSU

Score

10^/10

limerat parallax discovery rat

Malware Config

Extracted

Family

limerat

Wallets

34oTgBswSRbYC4CZFC9TdmhEtC4CU2TDY7

Attributes

aes_key
1212
antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
delay
3
download_payload
false
install
true
install_name
Windows.exe
main_folder
AppData
pin_spread
true
sub_folder
\Security\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	eLa1r6q.exe

Executes dropped EXE 1 IoCs

pid	Process
4688	Windows.exe

Loads dropped DLL 2 IoCs

pid	Process
4688	Windows.exe
4688	Windows.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	pastebin.com
24	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eLa1r6q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe
4688	Windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	Windows.exe
Token: SeDebugPrivilege	4688	Windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5832 wrote to memory of 4672	5832	eLa1r6q.exe	89
PID 5832 wrote to memory of 4672	5832	eLa1r6q.exe	89
PID 5832 wrote to memory of 4672	5832	eLa1r6q.exe	89
PID 5832 wrote to memory of 4688	5832	eLa1r6q.exe	91
PID 5832 wrote to memory of 4688	5832	eLa1r6q.exe	91
PID 5832 wrote to memory of 4688	5832	eLa1r6q.exe	91
PID 4688 wrote to memory of 3096	4688	Windows.exe	94
PID 4688 wrote to memory of 3096	4688	Windows.exe	94
PID 4688 wrote to memory of 3096	4688	Windows.exe	94
PID 3096 wrote to memory of 1956	3096	vbc.exe	96
PID 3096 wrote to memory of 1956	3096	vbc.exe	96
PID 3096 wrote to memory of 1956	3096	vbc.exe	96
PID 4688 wrote to memory of 5400	4688	Windows.exe	97
PID 4688 wrote to memory of 5400	4688	Windows.exe	97
PID 4688 wrote to memory of 5400	4688	Windows.exe	97

C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5832
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Security\Windows.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4672
- C:\Users\Admin\AppData\Roaming\Security\Windows.exe
  "C:\Users\Admin\AppData\Roaming\Security\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qpbinb5f\qpbinb5f.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES323.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2ED4D0942B8463E9BA22CD893BE4542.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbirivuv\sbirivuv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5400

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES323.tmp

Filesize
5KB

MD5
881ebc78068bf4b877e44e72a2b75268

SHA1
b081fe3ee283501152efc0c5d3fe610270bca4d6

SHA256
426e786075df623e1a261366579394a22e09655a0da9f6b94502a4667d654f15

SHA512
8c5fb23ef7501c670c4609ecfcb5e9407fd846b941b8751301c8b00ec328270257b4d9ac9ad018adfd6377296fbdb75b7d05c4497b4527a2caab37c544247de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpbinb5f\qpbinb5f.0.vb

Filesize
231B

MD5
8347c9a695bd16dc09435cddd19b6000

SHA1
cd9047d5ccd74fbfd201678c1c063f3bffb79327

SHA256
90a8d2302b5781a77b4d8b5bcf18f2545d67f3d241443013adafdcbca45e0a13

SHA512
2ddf64b4cc141a779c5f55d5803f9d112453ab485484e64aef2e7e2df647f6da6311e5091089abe17578055eabb3fcaf9c5609a10df30e644d96827cfc331497

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpbinb5f\qpbinb5f.cmdline

Filesize
282B

MD5
b166c5e1aa056ba8ba0ed0090b55855f

SHA1
853a3f7e95cd85491cf3a7fe3a634214d8dfa2a4

SHA256
698178e0b7b03d3f5b8f95067972b93c2139150d76d5fba2bb7cb64af897b5a0

SHA512
6a98a1120148c4da15b9921caadacd2670f4fd13f26167f1dea4ac1cac5b7137c448836b3b16c6313e45d27273e113dac7f63f9535c34221eb452afc49cb1f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbirivuv\sbirivuv.0.vb

Filesize
237B

MD5
582101aa62357b56ecf1decffe279509

SHA1
b54be94c1b0309e8ef1cd57956e1cbbb0bf5873f

SHA256
23f58a7ab729c95393da7cb2a02866f3040c6ba4c79f99329600c1ee3f2d445d

SHA512
e657fc4ec71f4373bb5d91596c90cae0b44a3705877da744833b3334ced39ec945204ba351333924fb5fbf36aa3f33bc25d90491a850a3fb372ac6e5eb8cf209

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbirivuv\sbirivuv.cmdline

Filesize
293B

MD5
00fe7b3c0e15199129819660043d143d

SHA1
ebba33b71a8787d90a34803497659e3e79ba3897

SHA256
729a1a6317ca074c313581c9448eae176a088a3fd07e2f45606beda90130c4d5

SHA512
b94c1a7e126ede224d5f08f2541c6b287e0279910d34a3a9cac9ab9292e5624896e7cb90c80612bc4caef5e728169f5877225715d2799d63587973022b37039c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE2ED4D0942B8463E9BA22CD893BE4542.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Security\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Security\Windows.exe

Filesize
28KB

MD5
15e27b66a793a187332608a4308395db

SHA1
3d35e1afd2ec15bfe99421b16a564b85f80a1a21

SHA256
c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f

SHA512
2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4

Download Submit
memory/4688-28-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/4688-18-0x0000000006550000-0x00000000065E2000-memory.dmp

Filesize
584KB

Download
memory/4688-20-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-21-0x0000000007390000-0x00000000073AE000-memory.dmp

Filesize
120KB

Download
memory/4688-22-0x00000000073B0000-0x00000000073D4000-memory.dmp

Filesize
144KB

Download
memory/4688-17-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-19-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4688-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5832-5-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/5832-0-0x000000007480E000-0x000000007480F000-memory.dmp

Filesize
4KB

Download
memory/5832-15-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5832-4-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/5832-3-0x0000000004C30000-0x0000000004C96000-memory.dmp

Filesize
408KB

Download
memory/5832-2-0x0000000004B70000-0x0000000004C0C000-memory.dmp

Filesize
624KB

Download
memory/5832-1-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download