Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

LimeRAT

78
Global rank
86 infographic chevron month
Month rank
75 infographic chevron week
Week rank
0
IOCs

LimeRAT is Remote Administration Trojan malware that boasts an array of harmful capabilities. While masquerading as a legitimate tool, it can perform malicious operations like encryption, keylogging, and cryptomining, which makes it appealing to cybercriminals

RAT
Type
Unknown
Origin
1 March, 2019
First seen
1 February, 2025
Last seen

How to analyze LimeRAT with ANY.RUN

RAT
Type
Unknown
Origin
1 March, 2019
First seen
1 February, 2025
Last seen

IOCs

IP addresses
193.161.193.99
91.134.214.47
199.59.148.97
84.54.50.77
54.89.47.234
185.9.144.187
91.92.253.74
45.130.141.63
81.30.144.81
149.56.200.166
3.141.177.1
212.193.30.230
185.244.181.160
78.42.74.191
185.185.25.179
178.32.156.59
195.133.18.236
20.199.13.167
134.255.220.10
86.107.104.106
Domains
ilovesatan.m-x.cfd
niggaxd.ddnsking.com
chinomso.duckdns.org
sataniloveyou.m-x.cfd
universalchina.pserver.ru
projectblackhat.com
eurocrypter-21461.portmap.host
hustleking.myddns.me
newnewlt.duckdns.org
testingvmz.ddns.net
ngrok.dalao.pub
callumssss.ddns.net
luisgrace000-33011.portmap.host
mememigg-57830.portmap.host
xyzass.duckdns.org
oxcds.duckdns.org
netpipe.warzonedns.com
niggerssuk.hopto.org
doverenewables.watchdogdns.duckdns.org
hackerhi2-26626.portmap.host
URLs
https://pastebin.com/raw/DDTVwwbu
https://pastebin.com/raw/hj9UaNnk
https://pastebin.com/raw/1NRAsuVh
https://pastebin.com/raw/uyNtUu9p
https://pastebin.com/raw/mR2A6qMn
https://pastebin.com/raw/aCnpcypM
https://pastebin.com/raw/DQSMH7JN
https://pastebin.com/raw/mchxnAbT
https://pastebin.com/raw/cmpGkbQw
https://pastebin.com/raw/U06jyvTy
https://pastebin.com/raw/v9J7B6vz
https://pastebin.com/raw/GmxD75vS
https://pastebin.com/raw/rACMKa5f
https://pastebin.com/raw/YRNWGBMr
https://pastebin.com/raw/zwppgXcp
https://pastebin.com/raw/zVbipP9N
https://pastebin.com/raw/8inqPH63
https://pastebin.com/raw/SvgU88AS
https://paste.tc/raw/fdsfsf-794
https://pastebin.com/raw/RuHAQCmv
Last Seen at

Recent blog posts

post image
Release Notes: System Updates, New YARA and S...
watchers 197
comments 0
post image
3 Major Cyber Attacks in January 2025
watchers 1401
comments 0
post image
Interlock Ransomware: Analysis of Attacks on...
watchers 1190
comments 0

What is LimeRAT malware and cryptocurrency stealer?

Lime Remote Administration Tool (LimeRAT) is a versatile Remote Access Trojan, which also may function as ransomware, cryptominer, cryptocurrency stealer, worm, keylogger, and bot. This versatility is one of the traits that set it apart from other RATs, such as njRAT.

Similarly to Quasar RAT, LimeRAT’s code is written in C#, but is dependent on .NET 4.0, and is a part of an open-source malware library that includes Lime_Miner, Lime_Crypter, and Lime_USB. While it claims to be an educational tool for .NET malware, its robust and well-documented features make it an attractive choice for malicious activities.

Lime RAT uses multiple ports for communication, allowing for redundancy in communication channels. The initial setup only requires port numbers and an AES 128-bit encryption key for secure communication between the client and server. The payloads can be created with a simple interface of checkboxes and text input fields, allowing even inexperienced operators to produce potent, malicious binaries. Customizations include different features and icons, and settings for Command and Control infrastructure and the location for persistent drop files on targeted machines.

Once a payload has been sent to and executed on a target machine, it connects to the control panel, sending details about the system it's on, including OS, CPU, user, and more.

The panel can also automatically assign tasks, such as downloading and executing specific files. The operator can issue commands to the infected machine, initiating various attacks, including encryption for ransomware, mining Monero, enabling Remote Desktop Protocol, or stealing information.

The malware can spread like a worm through USB or pinned task bar applications. Its ransomware feature encrypts the targeted host, changing file extensions to '.Lime'. It also includes a rudimentary keylogging feature, logging only keyboard inputs, not auto-filled or clipboard data.

The screengrab feature within the control panel captures screenshots of the infected machine, while its logging feature records timestamps and IPs of connections and disconnections. Despite being an open-source, well-documented malware, Lime RAT poses a serious threat, capable of stealing a range of valuable information, encrypting data for ransom, and converting the target host into a bot.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

LimeRAT malware technical details

LimeRAT employs advanced obfuscation techniques (MITRE T1027), rendering the classes, methods, and variables in its code into a series of random glyphs. This complex obfuscation aids in evasion of static analysis.

Embedded within LimeRAT's configuration class is a Base64 encoded string. This string isn't just encoded but also encrypted, demonstrating the malware's sophisticated design. Deciphering the string involves a comprehensive understanding of LimeRAT's decryption algorithm.

The decryption mechanism is built upon the RijndaelManaged class — an implementation of the AES encryption algorithm — and the MD5CryptoServiceProvider class. To generate the AES key for decryption, LimeRAT uses the MD5 hash of a particular string from the configuration class. This MD5 hash undergoes a sequence of specific byte manipulations. Post-decryption, the original string is revealed, decoded using the Base64 algorithm, and then decrypted with the AES256-ECB algorithm.

The decrypted string exposes a critical piece of information: a link to a PasteBin note. This link is essentially the C2 address for LimeRAT, serving as a communication channel for the malware to receive commands and exfiltrate data. It's a clear example of the malware's robust concealment tactics, specifically its effective use of encrypted strings to veil C2 communications.

LimeRAT configs LimeRAT’s malware configurations

LimeRAT malware execution process explained

Typical execution flow of the LimeRAT is straight. After the initial access is made, the trojan starts its execution. Firstly, it copies itself into a user directory such as %appdata% or, in our sample, into the directory inside the admin folder. Then it runs with different filenames and starts malicious activity. Further execution flow may vary. In our sample, the C2 server is already dead and doesn't send anything back to malware. When C2 is alive, LimeRAT may download some additional modules based on the commands from C2.

Read a detailed analysis of LimeRAT in our blog.

LimeRAT process graph LimeRAT’s process graph

LimeRAT malware distribution methods

LimeRAT primarily propagates through phishing campaigns. It leverages malicious email attachments, often employing embedded macros within Office documents. Upon the execution of these macros, the payload of LimeRAT is released, initiating the infection process. Cracked software, P2P distribution channels and malvertising has also been observed.

Additionally, LimeRAT exploits drive-by downloads. It's designed to take advantage of software vulnerabilities, in both web browsers and installed applications. This can lead to the unintended downloading and installation of LimeRAT merely by visiting a compromised website.

The developers of LimeRAT are persistent in updating its exploits, which maintains its effectiveness against even the latest software patches and updates.

Notably, LimeRAT also employs worm-like behavior for spreading via removable drives. The malware is programmed to replicate itself onto any connected removable drives from an already compromised system. This ability allows LimeRAT to further propagate when these infected drives are connected to other systems.

LimeRAT malware conclusion

LimeRAT's wide range of capabilities, coupled with its lightweight footprint, advanced obfuscation and AES encryption, make it a powerful adversary. While its ability to hide its C2 communication behind encrypted strings shows off the sophisticated tactics adopted by modern malware.

The most effective way to mitigate malware threats like LimeRAT, which are typically spread through phishing, is by educating your team about the potential dangers of malicious emails. For a detailed understanding of how LimeRAT operates, it's recommended to examine its samples using a robust tool like ANY.RUN.

ANY.RUN doesn't just detect and identify this malware family, but it also simplifies the analysis of its execution process. This is particularly useful given that LimeRAT is known for its heavy use of obfuscation, which can make static analysis difficult. With ANY.RUN, the dynamic analysis of this malware becomes a more approachable task.

HAVE A LOOK AT

Gh0st RAT screenshot
Gh0st RAT
gh0st
Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
PureCrypter screenshot
PureCrypter
purecrypter
First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system.
Read More
Phorpiex screenshot
Phorpiex
phorpiex
Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit.
Read More
Remcos screenshot
Remcos
remcos trojan rat stealer
Remcos is a RAT type malware that attackers use to perform actions on infected machines remotely. This malware is extremely actively caped up to date with updates coming out almost every single month.
Read More