limerat | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/eLa1r6q.exe
Size

28KB
MD5

15e27b66a793a187332608a4308395db
SHA1

3d35e1afd2ec15bfe99421b16a564b85f80a1a21
SHA256

c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f
SHA512

2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4
SSDEEP

768:JpW26eWrwugABZ445NwzQbF45rXupSUj:Jp/WrwuVrFkzAFkXCSU

Score

10^/10

limerat parallax discovery rat

Malware Config

Extracted

Family

limerat

Wallets

34oTgBswSRbYC4CZFC9TdmhEtC4CU2TDY7

Attributes

aes_key
1212
antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
delay
3
download_payload
false
install
true
install_name
Windows.exe
main_folder
AppData
pin_spread
true
sub_folder
\Security\
usb_spread
true

Extracted

Family

limerat

Attributes

antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
download_payload
false
install
false
pin_spread
false
usb_spread
false

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3630502724-2561614198-3854231964-1000\Control Panel\International\Geo\Nation	eLa1r6q.exe

Executes dropped EXE 1 IoCs

pid	Process
4448	Windows.exe

Loads dropped DLL 2 IoCs

pid	Process
4448	Windows.exe
4448	Windows.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	pastebin.com
20	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eLa1r6q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe
4448	Windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	Windows.exe
Token: SeDebugPrivilege	4448	Windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1648	1880	eLa1r6q.exe	88
PID 1880 wrote to memory of 1648	1880	eLa1r6q.exe	88
PID 1880 wrote to memory of 1648	1880	eLa1r6q.exe	88
PID 1880 wrote to memory of 4448	1880	eLa1r6q.exe	90
PID 1880 wrote to memory of 4448	1880	eLa1r6q.exe	90
PID 1880 wrote to memory of 4448	1880	eLa1r6q.exe	90
PID 4448 wrote to memory of 3328	4448	Windows.exe	93
PID 4448 wrote to memory of 3328	4448	Windows.exe	93
PID 4448 wrote to memory of 3328	4448	Windows.exe	93
PID 3328 wrote to memory of 3924	3328	vbc.exe	95
PID 3328 wrote to memory of 3924	3328	vbc.exe	95
PID 3328 wrote to memory of 3924	3328	vbc.exe	95
PID 4448 wrote to memory of 3812	4448	Windows.exe	96
PID 4448 wrote to memory of 3812	4448	Windows.exe	96
PID 4448 wrote to memory of 3812	4448	Windows.exe	96

C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Security\Windows.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1648
- C:\Users\Admin\AppData\Roaming\Security\Windows.exe
  "C:\Users\Admin\AppData\Roaming\Security\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvfe5mmy\hvfe5mmy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE705C04FF29484F8411D17CE1194666.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3924
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dwyolxx0\dwyolxx0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3812

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5A0D.tmp

Filesize
5KB

MD5
5cfca34a4d17dc851c1a8adfa6028a3b

SHA1
bf0c1492d5940882729a80af252f799b17e92bfb

SHA256
9d7b5457acb018893b4a556b8a7c727693c0cd11bff0af447c0f14c6481e1fbd

SHA512
cab90245256e054932a6ba1684f1503a6c8ce1d1a5a7cca0aa18e5b3eb1c0928c2e4364e22c10217e8ed25f5e11b0c31a6506df29fa034557d26f79dde1761e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwyolxx0\dwyolxx0.0.vb

Filesize
237B

MD5
e33e6f613760dd7fb6cce4df88f56613

SHA1
6c90269821efec9be160f24ede1e8a4a1f7b9239

SHA256
caf66c8d8a5605bab56494c6e9dfb71c70be2054b6e95a918efbf73f25299cf4

SHA512
37d8fbb139a3b4d836afa9a32ef7df96b36f584e2dc341d2e1578f6d33d5577728c2869e0831d263d347d4b98c879d1512fe246c022450a86ccdeba741f3a31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwyolxx0\dwyolxx0.cmdline

Filesize
293B

MD5
873f0d41a507e9c8ad030e1e5cba3ea7

SHA1
a5984c5ccc0acb09a98f8a09beaceaea09c1db01

SHA256
9f41e3df4470aa44bdcead77f40e2ba7abb84f0c0a0c1a3c91b713890a4d82da

SHA512
7590f5d6dcd8827f97d02a0fc074a9fd6337a0dee0ae8f073728338130640ba58a409a3dc1a467a23c4af344c2ec22a98fe3b6ae8763afdf326559019bc23309

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvfe5mmy\hvfe5mmy.0.vb

Filesize
231B

MD5
6fb856e990ad6eb648313818605c791a

SHA1
fde8e68812fa8ea48107cfdc78bbc1b6d92f0610

SHA256
c07e62d947d0f35d5b365b26e126b95b738fc983f4439a3bd30b7c48bb026b15

SHA512
9f04f638c63c479280571549a2492bc0b7f7ccdd134a216c98bf20118d468695bf0f5f982a4941cd48d5b156820ea449eaca42092b0125d336e90619c16d2cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvfe5mmy\hvfe5mmy.cmdline

Filesize
282B

MD5
f1ad47841c23180be7374808ce23e839

SHA1
c25a32db033a3fa408a388d289c18e4c02949eeb

SHA256
0d014a194057a8d7d26e54fee49c008c4b3e790664dd9837dff2a878ee68e48a

SHA512
3190ee726bf35e4e68fc64e6c555bec760c4199104e260222d164342f4f4b877224a03b77cfebcab6cf3d8e9d09fe009b2e465242bd2034ab4a290ef04fde4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE705C04FF29484F8411D17CE1194666.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Security\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Security\Windows.exe

Filesize
28KB

MD5
15e27b66a793a187332608a4308395db

SHA1
3d35e1afd2ec15bfe99421b16a564b85f80a1a21

SHA256
c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f

SHA512
2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4

Download Submit
memory/1880-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x0000000000FB0000-0x0000000000FBC000-memory.dmp

Filesize
48KB

Download
memory/1880-2-0x0000000005930000-0x00000000059CC000-memory.dmp

Filesize
624KB

Download
memory/1880-18-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/1880-3-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1880-4-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/1880-5-0x0000000006740000-0x0000000006CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4448-21-0x0000000007800000-0x000000000781E000-memory.dmp

Filesize
120KB

Download
memory/4448-15-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-16-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-28-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/4448-17-0x0000000006980000-0x0000000006A12000-memory.dmp

Filesize
584KB

Download
memory/4448-22-0x0000000007820000-0x0000000007844000-memory.dmp

Filesize
144KB

Download
memory/4448-20-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download
memory/4448-19-0x0000000074E20000-0x00000000755D0000-memory.dmp

Filesize
7.7MB

Download