{
	"id": "5554715b-da17-4c26-b0b4-589173c45736",
	"created_at": "2026-04-06T01:30:46.331631Z",
	"updated_at": "2026-04-10T03:21:38.544652Z",
	"deleted_at": null,
	"sha1_hash": "994eb3ba7123e757a12ef19cd953409e74b15f8a",
	"title": "LimeRAT Malware Analysis: Extracting the Config",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 404359,
	"plain_text": "LimeRAT Malware Analysis: Extracting the Config\r\nBy hardee\r\nPublished: 2023-04-07 · Archived: 2026-04-06 00:34:56 UTC\r\nIn today’s article, we’re going to look under the hood of a modular RAT — LimeRAT. Let’s get right into it! \r\nWhat is LimeRat \r\nLimeRAT is a Remote Access Trojan (RAT) that’s been around for a few years now. It’s a versatile piece of malware\r\ndesigned to give attackers control over an infected system. With its relatively small file size, it tries to fly under the radar of\r\ntraditional antivirus solutions. \r\nLimeRAT malware\r\nWhat makes LimeRAT particularly interesting is its ability to perform a wide range of malicious activities. Some of these\r\ninclude keylogging, stealing passwords, and capturing screenshots. Additionally, LimeRAT can execute arbitrary commands,\r\ndownload and upload files, and even use the infected machine for crypto-mining or DDoS attacks.  \r\nTo start, let’s open a sample in Detect It Easy: \r\nFigure 1: sample overview in DiE \r\nUpon inspection, we observe that the code has been obfuscated (MITRE T1027) and unreadable: the names of classes,\r\nmethods, and variables are made out of random glyphs. \r\nSince the sample is written in a .NET language, let’s open it in DnSpy.  \r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 1 of 7\n\nFigure 2: sample overview in DnSpy; note that use of obfuscation techniques \r\nFinding the configuration \r\nAfter examining the malware’s classes, we find something resembling a class with its configuration: \r\nFigure 3: possibly, malware configuration class\r\nWe notice that this class contains a field that appears to be a string encoded using the Base64 algorithm (MITRE\r\nT1132.001): \r\nFigure 4: strange class field that looks like Base64 encoded string \r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 2 of 7\n\nWe attempted to decode this string using CyberChef, but were unsuccessful. It is likely that the string is not only encoded\r\nbut also encrypted. \r\nUnsuccessful attempt to decode LimeRAT string with CyberChef\r\n Figure 5: even though it seems that this string is Base64 encoded, we can’t obtain data by just decoding it \r\nLooks like the string is encoded and encrypted. Therefore, we will attempt to analyze this string and identify any functions\r\nor instructions that reference it. To do this, we right-click on the field and select “Analyse” from the context menu\r\n(alternatively, we can select the field and use the Ctrl + Shift + R shortcut). \r\nIn the resulting window, we are interested in where the value of this string is being read. We expand the “Read by” section\r\nand see that the string is being read in two methods: \r\nFigure 6: two x-refs to the string that we discovered \r\nWe briefly inspect the first method but don’t see anything interesting here. It appears that this method is not specifically\r\nrelated to the virus configuration: \r\nFigure 7: the first method seems useless\r\nLet’s move on to the second method. We immediately notice some interesting code where our string is being used with the\r\nmethod WebClient.DownloadString, which is used to download a string from a remote resource. \r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 3 of 7\n\nFigure 8: the second x-ref is more interesting – looks like it uses our string in WebClient.DownloadString\r\nmethod\r\nBefore our string is passed to WebClient.DownloadString is passed through another method that clearly transforms it into\r\nsomething that DownloadString can consume.  \r\nLet’s take a closer look at this method and see what it does to our string. \r\nAfter a quick evaluation of the method, we see that it uses instances of the RijndaelManaged and\r\nMD5CryptoServiceProvider classes. \r\nIt appears that we have found the function where our string is decrypted: \r\nFigure 9: it seems that we found a method responsible for string decryption\r\nLimeRAT decryption algorithm \r\nLet’s break down how the decryption algorithm works in more detail: \r\n1. Instances of the RijndaelManaged and MD5CryptoServiceProvider classes are created. If we search for the\r\nRijndaelManaged class on MSDN, we see that it is essentially an obsolete implementation of the AES encryption\r\nalgorithm (MITRE T1027). The MD5CryptoServiceProvider class, as the name implies, is used to compute an\r\nMD5 hash. \r\n2. An array of 32 bytes is created and initialized with zeros. This array will be used to store the AES key. \r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 4 of 7\n\n3. To generate the key, the MD5 hash of another string from the configuration class is first computed (in our case, the\r\nstring is “20[.]199.13.167”). \r\nFigure 10: another string from the configuration class is used to generate the AES key \r\n4. Next, the first 15 bytes and then the first 16 bytes of the computed hash are copied to the previously created array.\r\nThe last element of the array remains zero. \r\n5. The generated key is set to the key property of the RijndaelManaged instance. The Mode property is set to\r\nCipherMode.ECB. \r\n6. Finally, the original string is decoded using the Base64 algorithm and decrypted using the AES256-ECB algorithm. \r\nLet’s try to replicate this algorithm in CyberChef to confirm our findings. We will need 2 CyberChef tabs, one where we’ll\r\nuse MD5 to generate the AES key, and another where we’ll attempt to decrypt the data. \r\nFirst, we calculate the MD5 hash and take 15 bytes from it. Then copy them to the ‘Key’ field in the AES Decrypt section in\r\nanother tab: \r\ntaking first 15 bytes of MD5 hash\r\nFigure 11: taking first 15 bytes of MD5 hash\r\ncopying 15 bytes to ‘Key’ in AES Decrypt section in first tab\r\nFigure 12: copying 15 bytes to ‘Key’ in AES Decrypt section in the first tab\r\nThen, we take the first 16 bytes of MD5 hash:\r\ntaking first 16 bytes of MD5 hash\r\nFigure 13: taking first 16 bytes of MD5 hash\r\nOur next step is to append them to previous 15 bytes and add a zero byte at the end as a padding byte (to 32 bytes):\r\ncopying 16 bytes and appending zero to ‘Key’ in AES Decrypt section in first tab\r\nFigure 14: copying 16 bytes and appending zero to ‘Key’ in AES Decrypt section in first tab\r\nAnd now we can see the decrypted string in the output section.\r\nYou can try the same here as well.\r\nAfter decrypting the string, we get a link to a PasteBin note: https://pastebin[.]com/raw/sxNJt2ek. When we navigate to the\r\nlink, we see the C2 address of the malware. \r\nwe found LimeRATs C2 using data that we decrypted \r\nFigure 15: we found LimeRATs C2 using data that we decrypted \r\nWrapping Up \r\nIn this article, we successfully analyzed LimeRAT and uncovered its configuration. We identified the use of the .NET\r\nlanguage and examined the malware classes, which revealed that obfuscation had been implemented. By meticulously\r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 5 of 7\n\ninspecting these classes, we determined the decryption algorithm employed to decode the string containing the C2 address. \r\nIOCs \r\nAnalyzed files: \r\nSHA1  14836dd608efb4a0c552a4f370e5aafb340e2a5d \r\nSHA256  6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 \r\nMD5  d36f15bef276fd447e91af6ee9e38b28 \r\nSSDEEP  3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy \r\nIPv4: \r\nIOC  Description \r\n20[.]199.13.167:8080  LimeRAT’s C2 server \r\nDomains: \r\nIOC  Description \r\nhttps://pastebin[.]com/raw/sxNJt2ek  PasteBin used by LimeRAT to hide its original C2 server \r\nMITRE (ARMATTACK): \r\nTactic  Technique  Description \r\nTA0005: Defense\r\nEvasion \r\nT1027: Obfuscated Files or\r\nInformation \r\nMalware is using obfuscator to strip its method\r\nnames, class names, etc. \r\nTA0005: Defense\r\nEvasion \r\nT1027: Obfuscated Files or\r\nInformation \r\nMalware uses Base64 algorithm to encode and\r\ndecode data \r\nTA0005: Defense\r\nEvasion \r\nT1027: Obfuscated Files or\r\nInformation \r\nMalware uses AES algorithm to encrypt and\r\ndecrypt data \r\nAlthough effective, this manual process can be time-consuming. This is where interactive sandboxes, such as ANY.RUN,\r\nprove to be invaluable. \r\nANY.RUN offers a powerful and user-friendly platform for automating malware sample analysis. By enabling users to\r\nsafely execute malware within a secure environment, ANY.RUN efficiently extracts configurations for malware like\r\nLimeRAT, ultimately saving security researchers precious time and resources.\r\nLet us show you how our interactive sandbox can fit into your workflow — get a 14-day free trial with our friendly sales\r\nteam. \r\nInterested in more content like this? \r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 6 of 7\n\nRead our analysis of Formbook/XLoader \r\nLearn how we used a sandbox to analyze CryptBot   \r\nOr check out our deep dive into Orcus Rat \r\nReverse Engineer. Malware Analyst at ANY.RUN\r\nhardee\r\nReverse Engineer, Malware Analyst at ANY.RUN at ANY.RUN | + posts\r\nI contribute to open source from time to time and I am always up for a challenge.\r\nhardee\r\nhardee\r\nReverse Engineer, Malware Analyst at ANY.RUN\r\nI contribute to open source from time to time and I am always up for a challenge.\r\nSource: https://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nhttps://any.run/cybersecurity-blog/limerat-malware-analysis/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/limerat-malware-analysis/"
	],
	"report_names": [
		"limerat-malware-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775439046,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/994eb3ba7123e757a12ef19cd953409e74b15f8a.pdf",
		"text": "https://archive.orkl.eu/994eb3ba7123e757a12ef19cd953409e74b15f8a.txt",
		"img": "https://archive.orkl.eu/994eb3ba7123e757a12ef19cd953409e74b15f8a.jpg"
	}
}