LimeRAT (Malware Family)
By Fraunhofer FKIE
Archived: 2026-04-06 02:51:56 UTC
LimeRAT
Actor(s): APT-C-36
URLhaus    
## Description
Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give
you a general knowledge about dotNET malwares and how it behaves.
---
## Main Features
- **.NET**
- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
- **Connection**
- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
- **Plugin**
- Using plugin system to decrease stub's size and lower the AV detection
- **Encryption**
- The communication between server & client is encrypted with AES
- **Spreading**
- Infecting all files and folders on USB drivers
- **Bypass**
- Low AV detection and undetected startup method
- **Lightweight**
- Payload size is about 25 KB
- **Anti Virtual Machines**
- Uninstall itself if the machine is virtual to avoid scanning or analyzing
- **Ransomware**
- Encrypting files on all HHD and USB with .Lime extension
- **XMR Miner**
- High performance Monero CPU miner with user idle\active optimizations
- **DDoS**
- Creating a powerful DDOS attack to make an online service unavailable
https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat
Page 1 of 2

- **Crypto Stealer**
- Stealing Cryptocurrency sensitive data
- **Screen-Locker**
- Prevents user from accessing their Windows GUI
- **And more**
- On Connect Auto Task
- Force enable Windows RDP
- Persistence
- File manager
- Passowrds stealer
- Remote desktop
- Bitcoin grabber
- Downloader
- Keylogger
References
There is no Yara-Signature yet.
Source: https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat
https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat
Page 2 of 2