# LimeRAT Malware Analysis: Extracting the Config **any.run/cybersecurity-blog/limerat-malware-analysis/** hardee March 28, 2023 [HomeMalware Analysis](https://any.run/cybersecurity-blog/) LimeRAT Malware Analysis: Extracting the Config In today’s article, we’re going to look under the hood of a modular RAT — LimeRAT. Let’s get right into it! ## What is LimeRat LimeRAT is a Remote Access Trojan (RAT) that’s been around for a few years now. It’s a versatile piece of malware designed to give attackers control over an infected system. With its relatively small file size, it tries to fly under the radar of traditional antivirus solutions. LimeRAT malware What makes LimeRAT particularly interesting is its ability to perform a wide range of malicious activities. Some of these include keylogging, stealing passwords, and capturing screenshots. Additionally, LimeRAT can execute arbitrary commands, download and upload files, and even use the infected machine for crypto-mining or DDoS attacks. ## LimeRAT malware analysis To start, let’s open a sample in Detect It Easy: ----- Figure 1: sample overview in DiE Upon inspection, we observe that the code has been obfuscated (MITRE T1027) and unreadable: the names of classes, methods, and variables are made out of random glyphs. Since the sample is written in a .NET language, let’s open it in DnSpy. Figure 2: sample overview in DnSpy; note that use of obfuscation techniques ## Finding the configuration After examining the malware’s classes, we find something resembling a class with its configuration: ----- Figure 3: possibly, malware configuration class We notice that this class contains a field that appears to be a string encoded using the Base64 algorithm (MITRE T1132.001): Figure 4: strange class field that looks like Base64 encoded string We attempted to decode this string using CyberChef, but were unsuccessful. It is likely that the string is not only encoded but also encrypted. ----- Unsuccessful attempt to decode LimeRAT string with CyberChef Figure 5: even though it seems that this string is Base64 encoded, we can’t obtain data by just decoding it Looks like the string is encoded and encrypted. Therefore, we will attempt to analyze this string and identify any functions or instructions that reference it. To do this, we right-click on the field and select “Analyse” from the context menu (alternatively, we can select the field and use the Ctrl + Shift + R shortcut). In the resulting window, we are interested in where the value of this string is being read. We expand the “Read by” section and see that the string is being read in two methods: Figure 5: two x-refs to the string that we discovered ----- We briefly inspect the first method but don t see anything interesting here. It appears that this method is not specifically related to the virus configuration: Figure 6: the first method seems useless Let’s move on to the second method. We immediately notice some interesting code where our string is being used with the method [WebClient.DownloadString, which is used to download a string from a remote resource.](https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring) Figure 7: the second x-ref is more interesting – looks like it uses our string in WebClient.DownloadString method Before our string is passed to WebClient.DownloadString is passed through another method that clearly transforms it into something that DownloadString can consume. Let’s take a closer look at this method and see what it does to our string ----- After a quick evaluation of the method, we see that it uses instances of the RijndaelManaged and MD5CryptoServiceProvider classes. It appears that we have found the function where our string is decrypted: Figure 8: it seems that we found a method responsible for string decryption ## LimeRAT decryption algorithm Let’s break down how the decryption algorithm works in more detail: 1. Instances of the RijndaelManaged and MD5CryptoServiceProvider classes are created. If we search for the RijndaelManaged class on MSDN, we see that it is essentially an obsolete implementation of the AES encryption algorithm (MITRE T1027). The MD5CryptoServiceProvider class, as the name implies, is used to compute an MD5 hash. 1. An array of 32 bytes is created and initialized with zeros. This array will be used to store the AES key. 1. To generate the key, the MD5 hash of another string from the configuration class is first computed (in our case, the string is “20[.]199.13.167”). Figure 9: another string from the configuration class is used to generate the AES key 1. Next, the first 15 bytes and then the first 16 bytes of the computed hash are copied to the previously created array. The last element of the array remains zero. 1. The generated key is set to the key property of the RijndaelManaged instance. The Mode property is set to CipherMode.ECB. 1. Finally, the original string is decoded using the Base64 algorithm and decrypted using the AES256-ECB algorithm. Let’s try to replicate this algorithm in CyberChef to confirm our findings. We will need 2 CyberChef tabs, one where we’ll use MD5 to generate the AES key, and another where we’ll attempt to decrypt the data. Generating the key: ----- Generating the LimeRAT key Decrypting the data: Figures 9, 10: we got the idea of the decryption algorithm right, as we were able to reproduce it in CyberChef After decrypting the string, we see a link to a PasteBin note: https://pastebin[.]com/raw/sxNJt2ek. When we navigate to the link, we see the C2 address of the malware. ----- LimeRATs C2 using data that we decrypted Figure 10: we found LimeRATs C2 using data that we decrypted ## Wrapping Up In this article, we successfully analyzed LimeRAT and uncovered its configuration. We identified the use of the .NET language and examined the malware classes, which revealed that obfuscation had been implemented. By meticulously inspecting these classes, we determined the decryption algorithm employed to decode the string containing the C2 address. ## IOCs ### Analyzed files: SHA1 14836dd608efb4a0c552a4f370e5aafb340e2a5d SHA256 6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 MD5 d36f15bef276fd447e91af6ee9e38b28 SSDEEP 3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy ### IPv4: **IOC** **Description** 20[.]199.13.167:8080 LimeRAT’s C2 server ### Domains: **IOC** **Description** https://pastebin[.]com/raw/sxNJt2ek PasteBin used by LimeRAT to hide its original C2 server ### MITRE (ARMATTACK): **Tactic** **Technique** **Description** TA0005: Defense Evasion TA0005: Defense Evasion TA0005: Defense Evasion T1027: Obfuscated Files or Information T1027: Obfuscated Files or Information T1027: Obfuscated Files or Information Malware is using obfuscator to strip its method names, class names, etc. Malware uses Base64 algorithm to encode and decode data Malware uses AES algorithm to encrypt and decrypt data ----- [Although effective, this manual process can be time consuming. This is where interactive sandboxes, such as ANY.RUN, prove to be](https://any.run/?utm_source=anyrunblog&utm_medium=article&utm_campaign=limerat&utm_content=landing) invaluable. ANY.RUN offers a powerful and user-friendly platform for automating malware sample analysis. By enabling users to safely execute malware within a secure environment, ANY.RUN efficiently extracts configurations for malware like LimeRAT, ultimately saving security researchers precious time and resources. [Let us show you how our interactive sandbox can fit into your workflow — book a demo with our friendly sales team.](https://any.run/demo/?utm_source=anyrunblog&utm_medium=article&utm_campaign=limerat&utm_content=demo) Interested in more content like this? [Read our analysis of Formbook/XLoader](https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/) [Learn how we used a sandbox to analyze CryptBot](https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/) [Or check out our deep dive into Orcus Rat](https://any.run/cybersecurity-blog/orcus-rat-malware-analysis/) Reverse Engineer. Malware Analyst at ANY.RUN hardee I contribute to open source from time to time and I am always up for a challenge. [malware](https://any.run/cybersecurity-blog/tag/malware/) [malware analysis](https://any.run/cybersecurity-blog/tag/malware-analysis/) User avatar hardee Reverse Engineer, Malware Analyst at ANY.RUN I contribute to open source from time to time and I am always up for a challenge. What do you think about this post? 9 answers Awful Average Great No votes so far! Be the first to rate this post. 0 comments -----