BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

LimeRAT

59
Global rank
49 infographic chevron month
Month rank
58 infographic chevron week
Week rank
624
IOCs

LimeRAT is Remote Administration Trojan malware that boasts an array of harmful capabilities. While masquerading as a legitimate tool, it can perform malicious operations like encryption, keylogging, and cryptomining, which makes it appealing to cybercriminals

RAT
Type
Unknown
Origin
1 March, 2019
First seen
15 April, 2024
Last seen

How to analyze LimeRAT with ANY.RUN

RAT
Type
Unknown
Origin
1 March, 2019
First seen
15 April, 2024
Last seen

IOCs

IP addresses
193.161.193.99
3.124.142.205
212.193.30.230
206.123.140.95
95.214.27.6
147.185.221.212
82.115.223.14
79.134.225.22
79.134.225.31
78.42.74.191
3.142.167.4
79.134.225.77
91.109.176.9
91.109.176.7
3.141.177.1
176.136.47.220
91.109.190.3
45.88.79.224
3.17.7.232
3.131.207.170
Hashes
f36bebe021df1c42b12f6105aed32fd35788ba45f788534f84bf5b9720296ae2
3f8824fce01f4c57564c42acdfba6ef0d80ab5d433e95d54586e6fe50153970a
c94d485aef911a2b7707380a0463ea9ad99475d47b502653d93a3c287dc61178
eedc4f13ebfa4864d20f8d1ebdf6d15622385f2764c3f73a50a02246312a12ea
267f30410791f5bb1b942a33daa6a66337758283c2f0710331be9430a380fd63
77c8e78e1cc03de7a96222447b6768593feae096992b249a6de005cd46cc43e0
0822fcbdd9bdb91cc3493618be8f649d62a67472049ad84a35263fc8776be7b8
334f2a54b1c3ff21e0a8be4594a424d0454abf192df503d495b2e9fb6d880c4a
96bc2149a0bcc49fe58c4a1e5e9ddfbee9680df6a1f5fdfad5c5a6c9462157e1
7e93fe0e52fe165a5cd2660c5ace9e5f164d1dfc25b9289ee222ab1ac2c13db8
78f97ebc449d64111015e6ad0fc4f0a3e66528d49f744098b993825c51ae5ca8
8c5b2aa9fc23e7e50d09bb41c9729efd821e6094a0477a65054ff20938723d88
fdb32d766c7d30bad2969fade3400f21262c63d36d440f67b7ff2cd1d8592e82
c1fc61bf5ad3022286aaa3c3d20ee447f4d7b91884b21b91f8d8e095e616864b
5a4fb7b0169963429e27e611de7ec66f6b6bb612963680c8033111a0c5c9ce66
0de34da90cf59ad74f40990677970cd110d6ae113254ba2734e0384df7739357
f1ed5dec27d9557d2869b69978443475e560eb055548e5d202968f9a7f608e1b
ee017dc0bd6592bb873764680d56f4ee7ab5ac88354459dd6ee66e112c806dfd
4b0614c24795ac37d1ed78c635ec520573ff61e3695bc58d2e1a2cb18d980f81
ea7c9277cd6fd4851a96f867de972d0cce42067371770c93011b17a4cef9d3e1
Domains
0.tcp.sa.ngrok.io
ilovesatan.m-x.cfd
office365update.duckdns.org
hustleking.myddns.me
newnewlt.duckdns.org
callumssss.ddns.net
doverenewables.watchdogdns.duckdns.org
niggerssuk.hopto.org
luisgrace000-33011.portmap.host
testingvmz.ddns.net
hackerhi2-26626.portmap.host
mememigg-57830.portmap.host
simon123ac-50006.portmap.host
morfey888-55156.portmap.host
projectblackhat.com
battlenet.sytes.net
xyzass.duckdns.org
amadeus432.ddns.net
ipcheck.servehttp.com
oxcds.duckdns.org
URLs
https://charactishpaster.1338bang.repl.co/raw/content
https://pastebin.com/utedD1nd
https://pastebin.com/R31nfNww
https://pastebin.com/raw/DDTVwwbu
https://pastebin.com/raw/16iNby64
https://pastebin.com/raw/mvVjM2c4
https://pastebin.com/raw/ZwyPz8sa
https://pastebin.com/raw/jxx7yjgK
https://pastebin.com/raw/KiVzVFa9
https://pastebin.com/raw/K6zz3eth
https://pastebin.com/raw/cmpGkbQw
https://pastebin.com/raw/sxNJt2ek
https://pastebin.com/raw/EEynmyrJ
https://pastebin.com/raw/0hCeb1Ba
https://pastebin.com/raw/5pYdnMzj
https://charactishpaster.1338bang.repl.co/
https://pastebin.com/raw/dPPhutFU
https://pastebin.com/raw/LJe9sUk5
https://pastebin.com/raw/cXuQ0V20
https://pastebin.com/raw/cWrgKDJg
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q1, 2024
watchers 157
comments 0
post image
Understand Encryption in Malware: From Basics...
watchers 547
comments 0
post image
ANY.RUN for Enterprises: Learn About Our Most...
watchers 298
comments 0

What is LimeRAT malware and cryptocurrency stealer?

Lime Remote Administration Tool (LimeRAT) is a versatile Remote Access Trojan, which also may function as ransomware, cryptominer, cryptocurrency stealer, worm, keylogger, and bot. This versatility is one of the traits that set it apart from other RATs, such as njRAT.

Similarly to Quasar RAT, LimeRAT’s code is written in C#, but is dependent on .NET 4.0, and is a part of an open-source malware library that includes Lime_Miner, Lime_Crypter, and Lime_USB. While it claims to be an educational tool for .NET malware, its robust and well-documented features make it an attractive choice for malicious activities.

Lime RAT uses multiple ports for communication, allowing for redundancy in communication channels. The initial setup only requires port numbers and an AES 128-bit encryption key for secure communication between the client and server. The payloads can be created with a simple interface of checkboxes and text input fields, allowing even inexperienced operators to produce potent, malicious binaries. Customizations include different features and icons, and settings for Command and Control infrastructure and the location for persistent drop files on targeted machines.

Once a payload has been sent to and executed on a target machine, it connects to the control panel, sending details about the system it's on, including OS, CPU, user, and more.

The panel can also automatically assign tasks, such as downloading and executing specific files. The operator can issue commands to the infected machine, initiating various attacks, including encryption for ransomware, mining Monero, enabling Remote Desktop Protocol, or stealing information.

The malware can spread like a worm through USB or pinned task bar applications. Its ransomware feature encrypts the targeted host, changing file extensions to '.Lime'. It also includes a rudimentary keylogging feature, logging only keyboard inputs, not auto-filled or clipboard data.

The screengrab feature within the control panel captures screenshots of the infected machine, while its logging feature records timestamps and IPs of connections and disconnections. Despite being an open-source, well-documented malware, Lime RAT poses a serious threat, capable of stealing a range of valuable information, encrypting data for ransom, and converting the target host into a bot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

LimeRAT malware technical details

LimeRAT employs advanced obfuscation techniques (MITRE T1027), rendering the classes, methods, and variables in its code into a series of random glyphs. This complex obfuscation aids in evasion of static analysis.

Embedded within LimeRAT's configuration class is a Base64 encoded string. This string isn't just encoded but also encrypted, demonstrating the malware's sophisticated design. Deciphering the string involves a comprehensive understanding of LimeRAT's decryption algorithm.

The decryption mechanism is built upon the RijndaelManaged class — an implementation of the AES encryption algorithm — and the MD5CryptoServiceProvider class. To generate the AES key for decryption, LimeRAT uses the MD5 hash of a particular string from the configuration class. This MD5 hash undergoes a sequence of specific byte manipulations. Post-decryption, the original string is revealed, decoded using the Base64 algorithm, and then decrypted with the AES256-ECB algorithm.

The decrypted string exposes a critical piece of information: a link to a PasteBin note. This link is essentially the C2 address for LimeRAT, serving as a communication channel for the malware to receive commands and exfiltrate data. It's a clear example of the malware's robust concealment tactics, specifically its effective use of encrypted strings to veil C2 communications.

LimeRAT configs LimeRAT’s malware configurations

LimeRAT malware execution process explained

Typical execution flow of the LimeRAT is straight. After the initial access is made, the trojan starts its execution. Firstly, it copies itself into a user directory such as %appdata% or, in our sample, into the directory inside the admin folder. Then it runs with different filenames and starts malicious activity. Further execution flow may vary. In our sample, the C2 server is already dead and doesn't send anything back to malware. When C2 is alive, LimeRAT may download some additional modules based on the commands from C2.

Read a detailed analysis of LimeRAT in our blog.

LimeRAT process graph LimeRAT’s process graph

LimeRAT malware distribution methods

LimeRAT primarily propagates through phishing campaigns. It leverages malicious email attachments, often employing embedded macros within Office documents. Upon the execution of these macros, the payload of LimeRAT is released, initiating the infection process. Cracked software, P2P distribution channels and malvertising has also been observed.

Additionally, LimeRAT exploits drive-by downloads. It's designed to take advantage of software vulnerabilities, in both web browsers and installed applications. This can lead to the unintended downloading and installation of LimeRAT merely by visiting a compromised website.

The developers of LimeRAT are persistent in updating its exploits, which maintains its effectiveness against even the latest software patches and updates.

Notably, LimeRAT also employs worm-like behavior for spreading via removable drives. The malware is programmed to replicate itself onto any connected removable drives from an already compromised system. This ability allows LimeRAT to further propagate when these infected drives are connected to other systems.

LimeRAT malware conclusion

LimeRAT's wide range of capabilities, coupled with its lightweight footprint, advanced obfuscation and AES encryption, make it a powerful adversary. While its ability to hide its C2 communication behind encrypted strings shows off the sophisticated tactics adopted by modern malware.

The most effective way to mitigate malware threats like LimeRAT, which are typically spread through phishing, is by educating your team about the potential dangers of malicious emails. For a detailed understanding of how LimeRAT operates, it's recommended to examine its samples using a robust tool like ANY.RUN.

ANY.RUN doesn't just detect and identify this malware family, but it also simplifies the analysis of its execution process. This is particularly useful given that LimeRAT is known for its heavy use of obfuscation, which can make static analysis difficult. With ANY.RUN, the dynamic analysis of this malware becomes a more approachable task.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy