limerat | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
149s
max time network
124s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/eLa1r6q.exe
Size

28KB
MD5

15e27b66a793a187332608a4308395db
SHA1

3d35e1afd2ec15bfe99421b16a564b85f80a1a21
SHA256

c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f
SHA512

2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4
SSDEEP

768:JpW26eWrwugABZ445NwzQbF45rXupSUj:Jp/WrwuVrFkzAFkXCSU

Score

10^/10

limerat parallax discovery rat

Malware Config

Extracted

Family

limerat

Wallets

34oTgBswSRbYC4CZFC9TdmhEtC4CU2TDY7

Attributes

aes_key
1212
antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
delay
3
download_payload
false
install
true
install_name
Windows.exe
main_folder
AppData
pin_spread
true
sub_folder
\Security\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Executes dropped EXE 1 IoCs

pid	Process
6092	Windows.exe

Loads dropped DLL 2 IoCs

pid	Process
6092	Windows.exe
6092	Windows.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eLa1r6q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe
6092	Windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6092	Windows.exe
Token: SeDebugPrivilege	6092	Windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2684	2820	eLa1r6q.exe	79
PID 2820 wrote to memory of 2684	2820	eLa1r6q.exe	79
PID 2820 wrote to memory of 2684	2820	eLa1r6q.exe	79
PID 2820 wrote to memory of 6092	2820	eLa1r6q.exe	81
PID 2820 wrote to memory of 6092	2820	eLa1r6q.exe	81
PID 2820 wrote to memory of 6092	2820	eLa1r6q.exe	81
PID 6092 wrote to memory of 4700	6092	Windows.exe	82
PID 6092 wrote to memory of 4700	6092	Windows.exe	82
PID 6092 wrote to memory of 4700	6092	Windows.exe	82
PID 4700 wrote to memory of 2332	4700	vbc.exe	84
PID 4700 wrote to memory of 2332	4700	vbc.exe	84
PID 4700 wrote to memory of 2332	4700	vbc.exe	84
PID 6092 wrote to memory of 2292	6092	Windows.exe	85
PID 6092 wrote to memory of 2292	6092	Windows.exe	85
PID 6092 wrote to memory of 2292	6092	Windows.exe	85

C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Security\Windows.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2684
- C:\Users\Admin\AppData\Roaming\Security\Windows.exe
  "C:\Users\Admin\AppData\Roaming\Security\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:6092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m53o0fd4\m53o0fd4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE886.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc867FC82AE2FE458399C5B6BD6785C5A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2332
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kupo02ck\kupo02ck.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE886.tmp

Filesize
5KB

MD5
d50561e7f107050800c0be96694efa4f

SHA1
54f30efe6c7cd29c9f5e2d1e99cc9cab414b832b

SHA256
c70a0e531eb2a49c75d06d2e32bdb31bb6738b66f5b56f3ff15d392aa75f3752

SHA512
7202ea2e07384d367c4500a297810f3a333b60f7e9220ad5e72b23db215e53fab114dfdd0f751770fa1467d884caa2baa3ddcf1de97adf567681ff0105781497

Download Submit
C:\Users\Admin\AppData\Local\Temp\kupo02ck\kupo02ck.0.vb

Filesize
237B

MD5
03f355079241f04fd8a8870b45382b8d

SHA1
22197d31f1c45050ef01ae9d3834fb8de5b25a55

SHA256
d76969ae0b53177488cba3422d4f68c6307873a874be6ab12154750525e7cc82

SHA512
48b7973f0539538191c87a916ebea562c4d3e702b2c24770f5808c4d13cb78e7adf4a2e9ae50a9983fbc7be3c5f9cb4877cfc2ac3d3dfd79b8b39a341e1416fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kupo02ck\kupo02ck.cmdline

Filesize
293B

MD5
a4482be1326792b56efa9f77097e4556

SHA1
2558a1d58b81ef7c743ce10a6833483693b44913

SHA256
47d038675d3422166e9bf2dd1da9a50b8f6a34685a8ff0064d42630e7fa8ea39

SHA512
430ea4dfa619913a9de94128ea7205b9e0f1a9b7a4eeef099c1589ec9f72cc3f57f7420108dd1052bf7cad2cd6bbfc0e7e02837644fd3f284fba8d88e841dab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\m53o0fd4\m53o0fd4.0.vb

Filesize
231B

MD5
9173acf9f3d8a429f7faa4e3176fb0aa

SHA1
c3a7277e6f37826343e3628e8e3499c4858ab524

SHA256
02f03c0746103b9a19c8ae8220a1a8afa4b9a17133bba19fb703612db797f983

SHA512
a4d49f5300db3a3eb7ad9198f40cbebdd124797b6695e163165a65058de11299a2666201534c21bdbbe3c14f2175a48e26f341160e8694dd6c5c6755eec67d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\m53o0fd4\m53o0fd4.cmdline

Filesize
282B

MD5
00a898934e55ba0286b052d22544b09a

SHA1
38ab8e976691a9487a5868acd3349862ba8e6b2d

SHA256
9fb080276ff2e97d3dbb42ea16a3980c93624c65fde82028ff8e74d3bab8ac7f

SHA512
cc8047a01c22a23a31084b497b198abb6bf89bffd87287a6e9b301a2158efda7731cf8f8e9e5ece45ae04fbbdc1f90623651eb03bcba1169d84a030fded02d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc867FC82AE2FE458399C5B6BD6785C5A.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Security\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Security\Windows.exe

Filesize
28KB

MD5
15e27b66a793a187332608a4308395db

SHA1
3d35e1afd2ec15bfe99421b16a564b85f80a1a21

SHA256
c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f

SHA512
2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4

Download Submit
memory/2820-16-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/2820-1-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2820-2-0x0000000004CF0000-0x0000000004D8C000-memory.dmp

Filesize
624KB

Download
memory/2820-3-0x0000000004D90000-0x0000000004DF6000-memory.dmp

Filesize
408KB

Download
memory/2820-4-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/2820-5-0x0000000005A80000-0x0000000006026000-memory.dmp

Filesize
5.6MB

Download
memory/2820-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/6092-21-0x0000000007C40000-0x0000000007C5E000-memory.dmp

Filesize
120KB

Download
memory/6092-15-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/6092-28-0x00000000015B0000-0x00000000015C6000-memory.dmp

Filesize
88KB

Download
memory/6092-17-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/6092-22-0x0000000007C60000-0x0000000007C84000-memory.dmp

Filesize
144KB

Download
memory/6092-18-0x0000000006EF0000-0x0000000006F82000-memory.dmp

Filesize
584KB

Download
memory/6092-20-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download
memory/6092-19-0x0000000075160000-0x0000000075911000-memory.dmp

Filesize
7.7MB

Download