Manuel Statik Analiz (LLM Okumali) — LimeRAT | Tehdit: YUKSEK
Dosya Kimligi
| SHA256 | 940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1 |
|---|---|
| Yem Dosya Adi | kalyanonlinematkaapp.exe (Hint oyun lures) |
| Boyut | 399.872 byte |
| String Sayisi | 362 |
Cleartext C2 URL
IOC: C2 URL binary icerisinde cleartext gorunmektedir!
C2 URL: https://kalyanonlinematkaapp.in.net/tai-app-kubet/ Domain: kalyanonlinematkaapp.in.net Path: /tai-app-kubet/
Kalicilik Mekanizmalari
1. Zamanlanmis Gorev (Scheduled Task): schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr '...' -- Kullanici girisi yaptiginda HIGHEST yetkisiyle calisir! 2. Registry Autorun: Software\Microsoft\Windows\CurrentVersion\Run -- Sistem baslatildiginda otomatik baslama
Teknik Ozellikler
- WMI sorgusu:
Win32_Processor.deviceid="CPU0"— donanim fingerprint - Mutex: kalici proses kontrolu
- Registry islemleri:
CreateSubKey,RegistryKey - Zamanlanmis gorev ile SYSTEM yetkisinde kalicilik
LimeRAT Hakkinda
LimeRAT, C# ile yazilmis acik kaynak bir RAT ailesidir (GitHub'da yayinlanmis). Remote access, keylogging, screenshot, clipboard, kripto clipper ve DDoS ozellikleri icerir. Hintli gambling/betting sitesi taklidi yaparak hedeflere ulasir.
IOC
| SHA256 | 940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1 |
|---|---|
| C2 | https://kalyanonlinematkaapp.in.net/tai-app-kubet/ |
| Kalicilik | schtasks LimeRAT-Admin (ONLOGON, HIGHEST) + Registry Run |
| WMI | Win32_Processor.deviceid="CPU0" |
LimeRAT — Malware Profile
LimeRAT Hindistan Kalyan Matka piyango temasiyla dağıtılan. kalyanonlinematkaapp.in.net C2. Disk Enum VM tespiti. AES crypto.
Malware Type
RAT
Programming Language
C#/.NET
C2 Protocol
TCP
Target Systems
Windows
Technical Details
C# .NET, AES sifreleme, TCP, Plugin tabanlı: RAT + Miner + Ransomware + Stealer, Clipboard Bitcoin hijacker, Monero madenci dahili, UAC bypass, Anti-analysis
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (1 indicators)
IOC — LimeRAT
# SHA256
940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1
| Type | Value | Note |
|---|---|---|
| sha256 | 940e18e109ff6af1d6c8ab01f00746034ae67bfa36f25c4d0af3f7cd3f0df3a1 |
C2 Servers (5 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| kalyanonlinematkaapp.in.net | domain | 443 | HTTPS | active | — |
| kalyanonlinematkaapp.in.net | domain | 443 | HTTPS | active | — |
| hu88999.com | domain | 443 | HTTPS | inactive | — |
| 45.90.222.109 | ip | 1177 | TCP | inactive | DE |
| 88.198.47.34 | ip | 4444 | TCP | inactive | DE |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.