SYMBOLCOMMON_NAMEaka. SYNONYMS
win.limerat (Back to overview)

LimeRAT

Actor(s): APT-C-36

URLhaus    

## Description
Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

---

## Main Features

- **.NET**
- Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
- **Connection**
- Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
- **Plugin**
- Using plugin system to decrease stub's size and lower the AV detection
- **Encryption**
- The communication between server & client is encrypted with AES
- **Spreading**
- Infecting all files and folders on USB drivers
- **Bypass**
- Low AV detection and undetected startup method
- **Lightweight**
- Payload size is about 25 KB
- **Anti Virtual Machines**
- Uninstall itself if the machine is virtual to avoid scanning or analyzing
- **Ransomware**
- Encrypting files on all HHD and USB with .Lime extension
- **XMR Miner**
- High performance Monero CPU miner with user idle\active optimizations
- **DDoS**
- Creating a powerful DDOS attack to make an online service unavailable
- **Crypto Stealer**
- Stealing Cryptocurrency sensitive data
- **Screen-Locker**
- Prevents user from accessing their Windows GUI
- **And more**
- On Connect Auto Task
- Force enable Windows RDP
- Persistence
- File manager
- Passowrds stealer
- Remote desktop
- Bitcoin grabber
- Downloader
- Keylogger

References
2021-09-20Trend MicroAliakbar Zahravi, William Gamazo Sanchez
@online{zahravi:20210920:water:63df486, author = {Aliakbar Zahravi and William Gamazo Sanchez}, title = {{Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads}}, date = {2021-09-20}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html}, language = {English}, urldate = {2021-09-22} } Water Basilisk Uses New HCrypt Variant to Flood Victims with RAT Payloads
Ave Maria BitRAT LimeRAT Nanocore RAT NjRAT Quasar RAT
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:d6456f8, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs (IOCs)
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-09-13Trend MicroJaromír Hořejší, Daniel Lunghi
@online{hoej:20210913:aptc36:9b97238, author = {Jaromír Hořejší and Daniel Lunghi}, title = {{APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs}}, date = {2021-09-13}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html}, language = {English}, urldate = {2021-09-14} } APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
AsyncRAT Ave Maria BitRAT Imminent Monitor RAT LimeRAT NjRAT Remcos
2021-05-17Lab52Th3spis
@online{th3spis:20210517:literature:b9862c2, author = {Th3spis}, title = {{Literature lover targeting Colombia with LimeRAT}}, date = {2021-05-17}, organization = {Lab52}, url = {https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/}, language = {English}, urldate = {2021-05-17} } Literature lover targeting Colombia with LimeRAT
LimeRAT
2021-03-16MorphisecNadav Lorber
@online{lorber:20210316:tracking:2d8ef0b, author = {Nadav Lorber}, title = {{Tracking HCrypt: An Active Crypter as a Service}}, date = {2021-03-16}, organization = {Morphisec}, url = {https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service}, language = {English}, urldate = {2021-05-13} } Tracking HCrypt: An Active Crypter as a Service
AsyncRAT LimeRAT Remcos
2020-10-05JuniperPaul Kimayong
@online{kimayong:20201005:new:739309f, author = {Paul Kimayong}, title = {{New pastebin-like service used in multiple malware campaigns}}, date = {2020-10-05}, organization = {Juniper}, url = {https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns}, language = {English}, urldate = {2020-10-07} } New pastebin-like service used in multiple malware campaigns
Agent Tesla LimeRAT RedLine Stealer
2020-01-31ReversingLabsRobert Simmons
@online{simmons:20200131:rats:d8a4021, author = {Robert Simmons}, title = {{RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site}}, date = {2020-01-31}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/rats-in-the-library}, language = {English}, urldate = {2020-02-03} } RATs in the Library: Remote Access Trojans Hide in Plain "Public" Site
CyberGate LimeRAT NjRAT Quasar RAT Revenge RAT
2020-01-15Lab52ml10
@online{ml10:20200115:aptc36:2ece45d, author = {ml10}, title = {{APT-C-36 recent activity analysis}}, date = {2020-01-15}, organization = {Lab52}, url = {https://lab52.io/blog/apt-c-36-recent-activity-analysis/}, language = {English}, urldate = {2020-01-20} } APT-C-36 recent activity analysis
LimeRAT
2019-10-16LimeRat
@online{limerat:20191016:limerat:da2782c, author = {LimeRat}, title = {{LimeRat}}, date = {2019-10-16}, url = {https://www.youtube.com/watch?v=x-g-ZLeX8GM}, language = {English}, urldate = {2019-10-16} } LimeRat
LimeRAT
2019-06-24Github (NYAN-x-CAT)NYAN-x-CAT
@online{nyanxcat:20190624:limerat:2274c0c, author = {NYAN-x-CAT}, title = {{LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)}}, date = {2019-06-24}, organization = {Github (NYAN-x-CAT)}, url = {https://github.com/NYAN-x-CAT/Lime-RAT/}, language = {English}, urldate = {2020-01-07} } LimeRAT | Simple, yet powerful remote administration tool for Windows (RAT)
LimeRAT
2019-04-09YoroiZLAB-Yoroi
@online{zlabyoroi:20190409:limerat:90dd4a3, author = {ZLAB-Yoroi}, title = {{LimeRAT spreads in the wild}}, date = {2019-04-09}, organization = {Yoroi}, url = {https://blog.yoroi.company/research/limerat-spreads-in-the-wild/}, language = {English}, urldate = {2019-11-29} } LimeRAT spreads in the wild
LimeRAT

There is no Yara-Signature yet.