SYMBOLCOMMON_NAMEaka. SYNONYMS
win.limerat (Back to overview)

LimeRAT

Actor(s): APT-C-36

URLhaus    

## Description
Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

---

## Main Features

- **.NET**
- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
- **Connection**
- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
- **Plugin**
- Using plugin system to decrease stub's size and lower the AV detection
- **Encryption**
- The communication between server & client is encrypted with AES
- **Spreading**
- Infecting all files and folders on USB drivers
- **Bypass**
- Low AV detection and undetected startup method
- **Lightweight**
- Payload size is about 25 KB
- **Anti Virtual Machines**
- Uninstall itself if the machine is virtual to avoid scanning or analyzing
- **Ransomware**
- Encrypting files on all HHD and USB with .Lime extension
- **XMR Miner**
- High performance Monero CPU miner with user idle\active optimizations
- **DDoS**
- Creating a powerful DDOS attack to make an online service unavailable
- **Crypto Stealer**
- Stealing Cryptocurrency sensitive data
- **Screen-Locker**
- Prevents user from accessing their Windows GUI
- **And more**
- On Connect Auto Task
- Force enable Windows RDP
- Persistence
- File manager
- Passowrds stealer
- Remote desktop
- Bitcoin grabber
- Downloader
- Keylogger

References
2020-10-05JuniperPaul Kimayong
@online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } New pastebin-like service used in multiple malware campaigns
Agent Tesla LimeRAT RedLine Stealer
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020-01-15Lab52ml10
@online{ml10:20200115:aptc36:2ece45d, author = {ml10}, title = {{APT-C-36 recent activity analysis}}, date = {2020-01-15}, organization = {Lab52}, url = {https://lab52.io/blog/apt-c-36-recent-activity-analysis/}, language = {English}, urldate = {2020-01-20} } APT-C-36 recent activity analysis
LimeRAT
2019-10-16LimeRat
@online{limerat:20191016:limerat:da2782c, author = {LimeRat}, title = {{LimeRat}}, date = {2019-10-16}, url = {https://www.youtube.com/watch?v=x-g-ZLeX8GM}, language = {English}, urldate = {2019-10-16} } LimeRat
LimeRAT
2019-06-24Github (NYAN-x-CAT)NYAN-x-CAT
@online{nyanxcat:20190624:limerat:2274c0c, author = {NYAN-x-CAT}, title = {{LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)}}, date = {2019-06-24}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/Lime-RAT/}, language = {English}, urldate = {2020-01-07} } LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)
LimeRAT
2019-04-09YoroiZLAB-Yoroi
@online{zlabyoroi:20190409:limerat:90dd4a3, author = {ZLAB-Yoroi}, title = {{LimeRAT spreads in the wild}}, date = {2019-04-09}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/limerat-spreads-in-the-wild/}, language = {English}, urldate = {2019-11-29} } LimeRAT spreads in the wild
LimeRAT

There is no Yara-Signature yet.