Manuel Statik Analiz (LLM Okumali) — LimeRAT | Tehdit: YUKSEK

Dosya Kimligi

SHA256940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1
Yem Dosya Adikalyanonlinematkaapp.exe (Hint oyun lures)
Boyut399.872 byte
String Sayisi362

Cleartext C2 URL

IOC: C2 URL binary icerisinde cleartext gorunmektedir!
C2 URL: https://kalyanonlinematkaapp.in.net/tai-app-kubet/
Domain: kalyanonlinematkaapp.in.net
Path:   /tai-app-kubet/

Kalicilik Mekanizmalari

1. Zamanlanmis Gorev (Scheduled Task):
   schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr '...'
   -- Kullanici girisi yaptiginda HIGHEST yetkisiyle calisir!

2. Registry Autorun:
   Software\Microsoft\Windows\CurrentVersion\Run   -- Sistem baslatildiginda otomatik baslama

Teknik Ozellikler

  • WMI sorgusu: Win32_Processor.deviceid="CPU0" — donanim fingerprint
  • Mutex: kalici proses kontrolu
  • Registry islemleri: CreateSubKey, RegistryKey
  • Zamanlanmis gorev ile SYSTEM yetkisinde kalicilik

LimeRAT Hakkinda

LimeRAT, C# ile yazilmis acik kaynak bir RAT ailesidir (GitHub'da yayinlanmis). Remote access, keylogging, screenshot, clipboard, kripto clipper ve DDoS ozellikleri icerir. Hintli gambling/betting sitesi taklidi yaparak hedeflere ulasir.

IOC

SHA256940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1
C2https://kalyanonlinematkaapp.in.net/tai-app-kubet/
Kalicilikschtasks LimeRAT-Admin (ONLOGON, HIGHEST) + Registry Run
WMIWin32_Processor.deviceid="CPU0"

LimeRAT — Malware Profile

LimeRAT Hindistan Kalyan Matka piyango temasiyla dağıtılan. kalyanonlinematkaapp.in.net C2. Disk Enum VM tespiti. AES crypto.

Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
TCP
Target Systems
Windows

Technical Details

C# .NET, AES sifreleme, TCP, Plugin tabanlı: RAT + Miner + Ransomware + Stealer, Clipboard Bitcoin hijacker, Monero madenci dahili, UAC bypass, Anti-analysis

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (1 indicators)

IOC — LimeRAT
# SHA256 940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1
TypeValueNote
sha256 940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1

C2 Servers (5 recorded servers for this family)

Address Type Port Protocol Status Country
kalyanonlinematkaapp.in.net domain 443 HTTPS active —
kalyanonlinematkaapp.in.net domain 443 HTTPS active —
hu88999.com domain 443 HTTPS inactive —
45.90.222.109 ip 1177 TCP inactive DE
88.198.47.34 ip 4444 TCP inactive DE

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
limeratratcleartext-c2schtaskskalicilikregistry-runonlogonpersistent