ioc[.]one - OSINT Cyber Threat Intelligence Database

LimeRAT spreads in the wild - Yoroi

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Dynamic Dns - T1311 Dynamic Dns - T1333 Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Powershell - T1086 Scripting - T1064 Scripting

Show in Graph

Common Information

Type	Value
UUID	cccd5bd3-9f84-40df-a28f-9b6aed707c0e
Fingerprint	2c25b912a03746ed
Analysis status	DONE
Considered CTI value	2
Text language
Published	April 9, 2019, 2:16 p.m.
Added to db	Sept. 26, 2022, 9:30 a.m.
Last updated	Nov. 17, 2024, 11:36 p.m.
Headline	LimeRAT spreads in the wild
Title	LimeRAT spreads in the wild - Yoroi
Detected Hints/Tags/Attributes	65/2/22

Source URLs

	Redirection	Url
Details	Source	https://blog.yoroi.company/research/limerat-spreads-in-the-wild/

URL Provider

Details	Provider	Source level domain
Details	yoroi.company	blog.yoroi.company

Attributes

Details	Type	#Events	Value
Details	Domain	1	hacks4all.net
Details	Domain	372	wscript.shell
Details	Domain	228	system.io
Details	Domain	2	warzonedns.com
Details	Domain	1175	gmail.com
Details	Domain	358	pastebin.com
Details	Domain	1	netpipe.warzonedns.com
Details	File	2	rdp.ps1
Details	File	1208	powershell.exe
Details	File	34	eventvwr.exe
Details	File	62	fodhelper.exe
Details	File	1	u:\software\microsoft\windows\currentversion\run' -name 'filename' -value 'c:\users\admin\appdata\local\temp\fuw.js
Details	File	1	%appdata%\roaming\microsoft\windows\start menu\programs\startup\fuw.js
Details	sha256	1	141fd1e267a092d5525ba91b5817c324ccd9ec20a0d5c6b5cdfb899ca5cda039
Details	sha256	3	e259df89e065c4162b273ebb18b75ea153f9bafe30a8c6610204ccf5e3f4ebcd
Details	sha256	1	ea755ec0455e91f9e218658b58962a0d6ce97c0c0940f0523042c23c0f20a10d
Details	sha256	1	194f608496f502a8cb2da017342b6b8b9e48ffa0e60f9c2052bff8fb98377eb6
Details	IPv4	1	213.183.58.10
Details	Url	1	https://hacks4all.net/rdp.ps1
Details	Url	1	https[://pastebin.com/raw/8pgce3qe
Details	Windows Registry Key	1	HKCU\SOFTWARE\Microsoft\\Winkey
Details	Yara rule	1	rule LimeRat_201904 { meta: description = "Yara rule for LimeRAT" author = "Cybaze - Yoroi ZLab" last_updated = "2019-04-08" tlp = "white" category = "informational" strings: $a1 = { E5 A4 AA E5 AD AB E5 B0 87 } $a2 = { 61 02 D2 0A 7C 04 69 02 } $b = "LimeRAT" wide condition: all of them }