MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
LimeRAT
Vendor detections: 5
| SHA256 hash: | 258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e |
|---|---|
| SHA3-384 hash: | 3302511f2a6d9fcf2a6c5afd4ad8a390f091851822be92ca409a65de5126291baf095e3d878cb621c5ee1b82621d29f5 |
| SHA1 hash: | a649132fc4b88f630696157bc67d0f4c3f603d17 |
| MD5 hash: | 5fea87d4e0afb8e31981bb6c1f9b1673 |
| humanhash: | comet-mirror-carpet-video |
| File name: | Lime_masarati.exe |
| Download: | download sample |
| Signature | LimeRAT |
| File size: | 289'968 bytes |
| First seen: | 2020-08-18 11:24:35 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger) |
| ssdeep | 6144:F8BQsCkR/Kjd9/q96229WcKf1Pupk96kADzsd:3BkR/Kj3S9Z2lKtuMjd |
| Threatray | 66 similar samples on MalwareBazaar |
| TLSH | E754DFFD76E36E12C26E043DD5A301000375A7432263DB4B31995E59BB0BBCA951ABDF |
| Reporter |  abuse_ch |
| Tags: | exe LimeRAT nVpn RAT |
abuse_ch
Malspam distributing LimeRAT:HELO: mail.micgrup.com
Sending IP: 51.68.105.75
From: Facturacion <facturacion@stmseguridad.com>
Subject: purchase inquiry
Attachment: N-2045...pdf.gz (contains "Lime_masarati.exe")
LimeRAT C2:
194.5.97.59:51510
Hosted on nVpn:
% Information related to '194.5.97.0 - 194.5.97.255'
% Abuse contact for '194.5.97.0 - 194.5.97.255' is 'abuse@kgb-vpn.org'
inetnum: 194.5.97.0 - 194.5.97.255
netname: NET-NINAZU
remarks: ------------------------------------------
remarks: * This network is used for a VPN service.
remarks: * No logs are stored in any shape or form.
remarks: ------------------------------------------
country: EU
admin-c: NVS100-RIPE
tech-c: NVS100-RIPE
org: ORG-NVS2-RIPE
mnt-by: NINAZU-MNT
status: SUB-ALLOCATED PA
created: 2018-07-23T09:31:45Z
last-modified: 2020-08-02T13:13:48Z
source: RIPE
Intelligence
File Origin
# of uploads :
1
# of downloads :
908
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Status:
Malicious
First seen:
2020-08-18 11:26:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
suspicious
Similar samples:
+ 56 additional samples on MalwareBazaar
Result
Malware family:
limerat
Score:
10/10
Tags:
rat family:limerat
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
LimeRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.