Dosya Kimligi
| SHA256 | b29cf2fc83f2c5871baf6d54b9593dec38a09208818482ec5f94947745ca7f11 |
|---|---|
| Orijinal Ad | detail.exe |
| Boyut | 29.184 byte (~28.5 KB) |
| PE Tipi | PE32 — .NET Framework (VB.NET) assembly |
| Versiyon | LimeRAT v0.1.9.1 |
| Dil | Microsoft Visual Basic .NET (MSVB) |
C2 Altyapisi
https://hu88999.com/home/event/detailPanel Domaini:
hu88999.com
| C2 URL | https://hu88999.com/home/event/detail (HTTPS, cleartext tespit) |
|---|---|
| Domain | hu88999.com — operatora ait suphelik domain |
| Protokol | HTTPS (Web-tabanlı C2 paneli) |
| Dropped File | hu88999.exe (AppData klasörüne kopyalanır) |
Kalicilik Mekanizmalari
| Scheduled Task | schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "..." |
|---|---|
| Registry | Software\Microsoft\Windows\CurrentVersion\Run\ |
| Dropped | %AppData%\hu88999.exe |
Anti-Analiz Teknikleri
| VMware Tespiti | vmware string varligi kontrolü |
|---|---|
| VirtualBox | \vboxhook.dll yüklü mu kontrolü |
| Sandboxie | SbieDll.dll varligi kontrolü |
| Registry Anti-VM | System\CurrentControlSet\Services\Disk\Enum\ — VM disk sürücü tespiti (Base64 gizlenmis) |
| Self-Delete | cmd.exe /c ping 0 -n 2 & del — ping bekleme + kendini silme (Base64 gizlenmis) |
| Process Koruma | RtlSetProcessIsCritical — proses sonlandirilirsa BSOD olusturur |
| AES Sifreleme | RijndaelManaged — ag trafikgini sifreleme |
Teknik Yetenekler
RAT Ozellikleri
- Uzaktan kabuk yürütme
- Ekran görüntüsü:
CopyFromScreen - Clipboard izleme/hirsizlik:
get_Clipboard - Dosya indirme:
WebClient.DownloadFile - Dosya silme:
DeleteFile - WMI sorgu:
Win32_Processor, Win32_BIOS, Win32_VideoController - AV tespit:
SELECT * FROM AntivirusProduct - Sistem bilgisi toplama:
get_MachineName, get_OSFullName, get_UserName
Ek Tehdit Modulleri
- Kripto Madenci:
--donate-level=parametresi — gizli XMR madenciligi (Minning...) - DDoS/Flood: TCP/UDP flood modulu
- USB Yayilma: USB sürücülere kopya yayar (PLUSB modulu)
- PIN Hirsizligi: PLPIN modulu
- Ransomware: Rans-Status kontrolü (sifreli/sifresiz dosya durumu)
- Code Bypass:
Regasm.exeile UAC/AV atlama - Kod Yürütme:
FromBase64Stringile runtime kod cözme
Protokol Yapisi
LimeRAT, C2 ile HTTPS uzerinden haberlesir ve mesajlari
|'N'| ve |'L'| ayiricilarla çerceveler. RijndaelManaged (AES)
ile sifrelenmis trafik icin hardcoded Key ve IV binary icerisinde gizlenmistir.
Base64 kodlanmis gizlenmis satirlar:
U3lzdGVtX...→System\CurrentControlSet\Services\Disk\Enum\(anti-VM)Y21kLmV4ZS...→cmd.exe /c ping 0 -n 2 & del(self-delete)
IOC'lar
| SHA256 | b29cf2fc83f2c5871baf6d54b9593dec38a09208818482ec5f94947745ca7f11 |
|---|---|
| C2 URL | https://hu88999.com/home/event/detail |
| C2 Domain | hu88999.com |
| Dropped | hu88999.exe (%AppData%) |
| Task | LimeRAT-Admin (schtasks ONLOGON HIGHEST) |
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ |
| Versiyon | v0.1.9.1 |
Nasil Kaldirilir?
- Ag engeli:
hu88999.comdomainini DNS/güvenlik duvarından engelle - Scheduled Task sil:
schtasks /delete /tn "LimeRAT-Admin" /f - Registry temizle:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runaltindahu88999.exegirisini sil - Dosya sil:
%AppData%\hu88999.exedosyasini bul ve sil - Madenci kontrol: yüksek CPU kullanimi varsa madenci modulu aktif olabilir
- Tam AV tarama: güncel imzali tam sistem taramasi yap
Teknik Ozet
LimeRAT v0.1.9.1 — VB.NET ile gelistirilmis cok modüllü bir Uzak Erisim Trojanı. C2 olarak https://hu88999.com/home/event/detail adresini kullanan bu ornek (cleartext binary'de tespit edildi), ekran yakalama, clipboard hirsizligi, kripto madenciligi (XMR), DDoS/flood, USB yayilma, ransomware modulü ve gelismis anti-VM/anti-sandbox mekanizmalari icermektedir. Base64 gizlenme, RtlSetProcessIsCritical ile proses koruma ve AES (RijndaelManaged) ile ag trafikgini sifreleme kullanilmaktadir.
LimeRAT — Malware Profile
LimeRAT Hindistan Kalyan Matka piyango temasiyla dağıtılan. kalyanonlinematkaapp.in.net C2. Disk Enum VM tespiti. AES crypto.
Technical Details
C# .NET, AES sifreleme, TCP, Plugin tabanlı: RAT + Miner + Ransomware + Stealer, Clipboard Bitcoin hijacker, Monero madenci dahili, UAC bypass, Anti-analysis
Capabilities & Behavior
IOC List (6 indicators)
#
LimeRAT-Admin
# SHA256
b29cf2fc83f2c5871baf6d54b9593dec38a09208818482ec5f94947745ca7f11
# DOMAIN
hu88999.com
# REGISTRY
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
# FILEPATH
hu88999.exe
# URL
https://hu88999.com/home/event/detail
| Type | Value | Note |
|---|---|---|
| LimeRAT-Admin | ||
| sha256 | b29cf2fc83f2c5871baf6d54b9593dec38a09208818482ec5f94947745ca7f11 | |
| domain | hu88999.com | |
| registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | |
| filepath | hu88999.exe | |
| url | https://hu88999.com/home/event/detail |
C2 Servers (5 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| kalyanonlinematkaapp.in.net | domain | 443 | HTTPS | active | — |
| kalyanonlinematkaapp.in.net | domain | 443 | HTTPS | active | — |
| hu88999.com | domain | 443 | HTTPS | inactive | — |
| 45.90.222.109 | ip | 1177 | TCP | inactive | DE |
| 88.198.47.34 | ip | 4444 | TCP | inactive | DE |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.