limerat | b7a2def2630cbbca20d06f0d40ceaf00f8df471adb12f62efbeb513681cf4878

Analysis

max time kernel
149s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/eLa1r6q.exe
Size

28KB
MD5

15e27b66a793a187332608a4308395db
SHA1

3d35e1afd2ec15bfe99421b16a564b85f80a1a21
SHA256

c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f
SHA512

2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4
SSDEEP

768:JpW26eWrwugABZ445NwzQbF45rXupSUj:Jp/WrwuVrFkzAFkXCSU

Score

10^/10

limerat parallax discovery rat

Malware Config

Extracted

Family

limerat

Wallets

34oTgBswSRbYC4CZFC9TdmhEtC4CU2TDY7

Attributes

aes_key
1212
antivm
false
c2_url
https://pastebin.com/raw/qEZEFuXv
delay
3
download_payload
false
install
true
install_name
Windows.exe
main_folder
AppData
pin_spread
true
sub_folder
\Security\
usb_spread
true

Signatures

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
Limerat family
limerat
Parallax family
parallax
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Executes dropped EXE 1 IoCs

pid	Process
5296	Windows.exe

Loads dropped DLL 2 IoCs

pid	Process
5296	Windows.exe
5296	Windows.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eLa1r6q.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe
5296	Windows.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5296	Windows.exe
Token: SeDebugPrivilege	5296	Windows.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 4316	1036	eLa1r6q.exe	79
PID 1036 wrote to memory of 4316	1036	eLa1r6q.exe	79
PID 1036 wrote to memory of 4316	1036	eLa1r6q.exe	79
PID 1036 wrote to memory of 5296	1036	eLa1r6q.exe	81
PID 1036 wrote to memory of 5296	1036	eLa1r6q.exe	81
PID 1036 wrote to memory of 5296	1036	eLa1r6q.exe	81
PID 5296 wrote to memory of 4780	5296	Windows.exe	82
PID 5296 wrote to memory of 4780	5296	Windows.exe	82
PID 5296 wrote to memory of 4780	5296	Windows.exe	82
PID 4780 wrote to memory of 4224	4780	vbc.exe	84
PID 4780 wrote to memory of 4224	4780	vbc.exe	84
PID 4780 wrote to memory of 4224	4780	vbc.exe	84
PID 5296 wrote to memory of 4616	5296	Windows.exe	85
PID 5296 wrote to memory of 4616	5296	Windows.exe	85
PID 5296 wrote to memory of 4616	5296	Windows.exe	85

C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\eLa1r6q.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\Security\Windows.exe'"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4316
- C:\Users\Admin\AppData\Roaming\Security\Windows.exe
  "C:\Users\Admin\AppData\Roaming\Security\Windows.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iz55mbgt\iz55mbgt.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF558.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92FEFC1B94114F949A7CA27A804030EC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4224
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sjisfvjn\sjisfvjn.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4616

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESF558.tmp

Filesize
5KB

MD5
0e12d86a827a25d078bc10efcef3142b

SHA1
f486bd2b21fb323eb96d884db0ed9acd9855741d

SHA256
ae9509cfa74adae24791acfcbac9056aea466e835f3063bee8de1d5a52316f00

SHA512
47cdea42cd66561079f57162eb8e20313353e4795f30d1bfb640e4b6c91bb85922db9f08fc8ddbbdb20420d594c043d6bd9cd863ffac95fa4abcfe8ccc0e852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iz55mbgt\iz55mbgt.0.vb

Filesize
231B

MD5
93a099e325e79ced5ac3b3c95a701864

SHA1
946b715ef368107e4847439bc7e8dcf7a7df30fd

SHA256
6db608f22817ab0ce56517453e9764027c04a58c98cb08ccadb107c2c10041a2

SHA512
12a7e53f41e3b282a4565b6080d8ac6090074c1b04800639110e4f0c2fd1e94d91d348192d8d53398ec60a88cf983ed9921b1a2b0fee9aeae16c6c1c645f9a3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iz55mbgt\iz55mbgt.cmdline

Filesize
282B

MD5
04c911d395845b5ac3106b0e1b3bb440

SHA1
c59203aa2d9c4bfc76e69af7026642a23ef9fba2

SHA256
cf7cf308bdcb58bf4f06123c4c753f909df54460a68d5a0dcbb16d44e4da23aa

SHA512
002334ca04a6ebab6a313f2b8e635284281d13a91b11b609e603bee3a4fe826cf69bcccfd67a1822833fa003114ffdd6a182be8966eb10d3d71729619ce3f28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjisfvjn\sjisfvjn.0.vb

Filesize
237B

MD5
0ce5321b567615a23911c9fb9f0fbda5

SHA1
0ed5ca07936b94580fe1d48af6030d97e7dc024d

SHA256
516728637b2e96ef3349af6f6d6c3e2fd7bdc6b5be0418fdd9b1001c6942ef86

SHA512
1e64396023c24258b46472fcedfa044aa0de07e3a7b4f7753acb562ac0abf4fdd0b237e8fcd5f5361ae6da6c4258dbc6e00b23d4f5a1c54e3bd32b67195eba4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sjisfvjn\sjisfvjn.cmdline

Filesize
293B

MD5
dae69691cf10fc08f5da2a36710c9366

SHA1
e937d7421f22d07b3e4e35080aed992329c6f746

SHA256
176881897caf6a134a8d1ac292fe837527579d067755ada33a6640e5e529d3e6

SHA512
70e128d733354997371d4144ecb3ce11426b3e0882a7b82746d97d59a31ab0a635db8241a130db5bf8b447b57f4daa79360d1d177fec34b5efa957494ef59841

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92FEFC1B94114F949A7CA27A804030EC.TMP

Filesize
4KB

MD5
3bc8adeb12a0fcc53a2368d6b2ac06f1

SHA1
1fbf854011bdb8a6d8b876dd03eb58f70422b5c9

SHA256
05d3206e82e3219eaa0ea9825b64eb5d32f542f257a5ff4c72149ebe0a7be12b

SHA512
8885b4fc552332b8e667e425afbc9c18ec54fb561a49b085aef5fdc51142efc61bf7d2b868632d1f1a6e03b256b9422be706aa3cfa58a8de6ef15b94abb163cd

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\Firefox.ico

Filesize
4KB

MD5
a561ca41d3b29c57ab61672df8d88ec9

SHA1
24567a929b98c2536cd2458fdce00ce7e29710f0

SHA256
f8c5b0b66dbab94ebed08de93cf2300c9933db9ba43b468a0cda09602a2520ce

SHA512
eede6794c1a7318fa6107069719fb6ea885b2aa0410e70b300fa65e349a7c6798eb232fb8b6ac254821145cf9de5b91846b1e80514a402a3234c1b336223b027

Download Submit
C:\Users\Admin\AppData\Roaming\Lime\ICO\GoogleChrome.ico

Filesize
6B

MD5
ed5a964e00f4a03ab201efe358667914

SHA1
d5d5370bbe3e3ce247c6f0825a9e16db2b8cd5c5

SHA256
025fc246f13759c192cbbae2a68f2b59b6478f21b31a05d77483a87e417906dd

SHA512
7f3b68419e0914cec2d853dcd8bbb45bf9ed77bdde4c9d6f2ea786b2ba99f3e49560512fbb26dd3f0189b595c0c108d32eb43f9a6f13bbc35b8c16b1561bd070

Download Submit
C:\Users\Admin\AppData\Roaming\Security\IconLib.dll

Filesize
59KB

MD5
45ecaf5e82da876240f9be946923406c

SHA1
0e79bfe8ecc9b0a22430d1c13c423fbf0ac2a61d

SHA256
087a0c5f789e964a2fbcb781015d3fc9d1757358bc63bb4e0b863b4dffdb6e4f

SHA512
6fd4a25051414b2d70569a82dff5522606bfc34d3eaeea54d2d924bc9c92e479c7fda178208026308a1bf9c90bee9dbcaf8716d85c2ab7f383b43b0734329bc8

Download Submit
C:\Users\Admin\AppData\Roaming\Security\Windows.exe

Filesize
28KB

MD5
15e27b66a793a187332608a4308395db

SHA1
3d35e1afd2ec15bfe99421b16a564b85f80a1a21

SHA256
c21710c62b0a9cf87454c0a7465379a9fc792800be77ba95cb6fd0f2d611213f

SHA512
2afae47d044a03f04c87c7c790c0e13628189a249de12b73f815faf7e04b49a6837e25682f83efeb2cf06dd7621a9d2ef17dd34e7ae13e57ec2843b04bb73ae4

Download Submit
memory/1036-15-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/1036-1-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/1036-2-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/1036-3-0x0000000004E70000-0x0000000004ED6000-memory.dmp

Filesize
408KB

Download
memory/1036-4-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/1036-5-0x0000000005BA0000-0x0000000006146000-memory.dmp

Filesize
5.6MB

Download
memory/1036-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/5296-21-0x0000000007860000-0x000000000787E000-memory.dmp

Filesize
120KB

Download
memory/5296-16-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/5296-28-0x00000000011B0000-0x00000000011C6000-memory.dmp

Filesize
88KB

Download
memory/5296-17-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/5296-22-0x0000000007880000-0x00000000078A4000-memory.dmp

Filesize
144KB

Download
memory/5296-18-0x0000000006A10000-0x0000000006AA2000-memory.dmp

Filesize
584KB

Download
memory/5296-20-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/5296-19-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download