{ "id": "370fed65-e5ca-4d94-b8a1-67247789141c", "created_at": "2026-04-06T00:11:52.743095Z", "updated_at": "2026-04-10T13:12:57.81164Z", "deleted_at": null, "sha1_hash": "b9609cbfb1d82cf7e7275d0a11d56ec66ec9bdd8", "title": "LimeRAT Malware Analysis: Extracting the Config", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1014953, "plain_text": "LimeRAT Malware Analysis: Extracting the Config\r\nBy The Hacker News\r\nPublished: 2023-04-27 · Archived: 2026-04-05 19:59:22 UTC\r\nRemote Access Trojans (RATs) have taken the third leading position in ANY. RUN's Q1 2023 report on the most\r\nprevalent malware types, making it highly probable that your organization may face this threat.\r\nThough LimeRAT might not be the most well-known RAT family, its versatility is what sets it apart. Capable of\r\ncarrying out a broad spectrum of malicious activities, it excels not only in data exfiltration, but also in creating\r\nDDoS botnets and facilitating crypto mining. Its compact footprint allows it to elude endpoint detection systems,\r\nmaking it a stealthy adversary. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranks as the\r\nthird most popular malware family in terms of uploads during Q1 2023.\r\nANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully\r\nextracted its configuration. In this article, we'll provide a brief overview of that analysis.\r\nCollected artifacts\r\nSHA1 14836dd608efb4a0c552a4f370e5aafb340e2a5d\r\nSHA256 6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334\r\nMD5 d36f15bef276fd447e91af6ee9e38b28\r\nSSDEEP 3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy\r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 1 of 6\n\nIPv4:\r\nIOC Description\r\n20[.]199.13.167:8080 LimeRAT’s Command and Control server\r\nDomains:\r\nIOC Description\r\nhttps://pastebin[.]com/raw/sxNJt2ek\r\nPasteBin used by LimeRAT to hide its original Command and Control\r\nserver\r\nMITRE ATT\u0026CK®\r\nTactic Technique Description\r\nTA0005: Defense\r\nEvasion\r\nT1027: Obfuscated Files or\r\nInformation\r\nMalware is using obfuscator to strip its method\r\nnames, class names, etc.\r\nTA0005: Defense\r\nEvasion \r\nT1027: Obfuscated Files or\r\nInformation\r\nMalware uses Base64 algorithm to encode and\r\ndecode data\r\nTA0005: Defense\r\nEvasion\r\nT1027: Obfuscated Files or\r\nInformation\r\nMalware uses AES algorithm to encrypt and decrypt\r\ndata\r\nANY.RUN is running a limited-time offer, celebrating the 7th Cyberbirthdsay\r\nANY.RUN is an interactive cloud malware sandbox that can extract malware configs automatically for numerous\r\nfamilies, saving researchers hours of effort. \r\nThe service is celebrating its 7th anniversary and inviting all researchers to try out advanced analysis features\r\ntypically reserved for pro plans, completely free until May 5th. This includes configuring the execution\r\nenvironment with Windows 8, 10, or 11.\r\nIf you discover that ANY.RUN enhances your malware analysis workflow, they are also offering a limited\r\npromotion, available until May 5th: receive 6 or 12 months of free usage when you sign up for a yearly or two-year subscription, respectively. \r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 2 of 6\n\nBreaking down LimeRAT's decryption algorithm\r\nWe'll share a condensed version of the article here. For a complete walkthrough and the extended analysis, head over\r\nto ANY. RUN's blog if you're interested in learning more about the workflow they employed.\r\nSince the sample under review was written in .NET, researchers utilized DnSpy to examine the code. Immediately, it\r\nwas obvious that obfuscation techniques were being employed:\r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 3 of 6\n\nSample overview in DnSpy; note that use of obfuscation techniques\r\nCloser examination of the code revealed a class resembling the malware configuration. Within this class, was a field\r\ncontaining a string that was both base64 encoded and encrypted.\r\nPossibly, malware configuration class\r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 4 of 6\n\nContinuing the code inspection, ANY.RUN researchers pinpointed a function responsible for decrypting the string.\r\nBy employing the \"Read by\" filter in DnSpy, they tracked down methods where the string was being read, which led\r\nto a total of two methods. The first method proved unfruitful, but the second one looked interesting:\r\nThe second x-ref is more interesting. It seems that it uses our string in WebClient.DownloadString method\r\nThis method turned out to be responsible for decryption. By closely examining it, it was possible to reconstruct the\r\nprocess by which LimeRAT decrypts its configuration:\r\n1. Instances of the RijndaelManaged and MD5CryptoServiceProvider classes are instantiated. As per\r\nMSDN, RijndaelManaged is an outdated implementation of the AES encryption algorithm (MITRE\r\nT1027), while MD5CryptoServiceProvider computes MD5 hashes.\r\n2. A 32-byte array, initialized with zeros, is generated to store the AES key.\r\n3. The key is created by first calculating the MD5 hash of a distinct string within the configuration class (in our\r\nanalysis, the string is \"20[.]199.13.167\").\r\n4. The initial 15 bytes, followed by the first 16 bytes of the calculated hash, are copied into the previously\r\nestablished array. The final element of the array remains zero.\r\n5. The derived key is assigned to the key property of the RijndaelManaged instance, while the Mode property\r\nis configured as CipherMode.ECB.\r\n6. Ultimately, the primary string undergoes decoding via the Base64 algorithm and decryption using\r\nthe AES256-ECB algorithm.\r\nDecrypting the string revealed a link to a PasteBin note: https://pastebin[.]com/raw/sxNJt2ek. Within this note,\r\nwas LimeRAT's Command and Control (C2) server:\r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 5 of 6\n\nLimeRATs C2 discovered with decrypted data\r\nTo wrap up\r\nWe hope you found this brief overview of our LimeRAT configuration decryption process insightful. For a more\r\ncomprehensive examination, head over to the full article on ANY.RUN's blog, to get additional context on the steps\r\nand check the decryption process using CyberChef.\r\nAlso, remember that ANY. RUN's currently offering limited-time deals, featuring discounts on subscriptions and an\r\nexpanded feature set for free plans, including the ability to configure execution environments with Windows 8, 10,\r\nand 11 operating systems. This offer expires on May 5th.\r\nThis is an ideal opportunity to test out ANY.RUN and determine if it streamlines your workflow, or to secure a\r\nsubscription at an unbeatable price and reap the benefits of significant time savings through static and behavioral\r\nanalysis.\r\nTo learn more about this offer, visit ANY.RUN plans.\r\nFound this article interesting? This article is a contributed piece from one of our valued partners. Follow us on\r\nGoogle News, Twitter and LinkedIn to read more exclusive content we post.\r\nSource: https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nhttps://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html" ], "report_names": [ "limerat-malware-analysis-extracting.html" ], "threat_actors": [], "ts_created_at": 1775434312, "ts_updated_at": 1775826777, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b9609cbfb1d82cf7e7275d0a11d56ec66ec9bdd8.pdf", "text": "https://archive.orkl.eu/b9609cbfb1d82cf7e7275d0a11d56ec66ec9bdd8.txt", "img": "https://archive.orkl.eu/b9609cbfb1d82cf7e7275d0a11d56ec66ec9bdd8.jpg" } }