MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b6226b41a638ea48776cb12ed1ae05b312c7a0d7d8546c13c80c4c2e039cc29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimeRAT

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	4b6226b41a638ea48776cb12ed1ae05b312c7a0d7d8546c13c80c4c2e039cc29
SHA3-384 hash:	beaa82d0217365ea1eef4737c124228cc5a64b3a733b4b8b0263692563c9cd8915be0b8003e4d0838a10c9eeb0b4ee94
SHA1 hash:	1549466e24941ff9629bc10e91d0dc6948e460dc
MD5 hash:	7a306acf26ebe94b06c80fcfef051b6b
humanhash:	uranus-indigo-beryllium-massachusetts
File name:	Solar stimulus program.exe
Download:	download sample
Signature	LimeRAT Create hunting rule
File size:	195'472 bytes
First seen:	2020-06-02 16:32:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:AAaUxhNMJx1Mp1YjebV7Nr6JD6u8w/CpLmufl7MrMPWAadA68Ydq5a:NaUDG3Kp1Y6VEJD6LpNaAnax8DI
Threatray	299 similar samples on MalwareBazaar
TLSH	A6148D15B2CCA1F2C16C0A734C1273455A338E067663BF1B6CBE63581E233DA6376A6D
Reporter	abuse_ch
Tags:	exe LimeRAT Outlook RAT

Code Signing Certificate

Organisation:	Microsoft Code Signing PCA
Issuer:	Microsoft Root Authority
Algorithm:	sha1WithRSA
Valid from:	Aug 22 22:31:02 2007 GMT
Valid to:	Aug 25 07:00:00 2012 GMT
Serial number:	2EAB11DC50FF5C9DCBC0
Intelligence:	22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	DBD5BD417B78886EDC1574F5E872F3E1C0B07522B6881B95B6DD872AEDBEB30D
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

abuse_ch

Malspam distributing LimeRAT:

HELO: EUR05-DB8-obe.outbound.protection.outlook.com
Sending IP: 40.92.89.47
From: Randy Bacon <randybacon41@hotmail.com>
Subject: Solar Stimulus Program
Attachment: Solar stimulus program_ZIP.zip (contains "Solar stimulus program.exe")

LimeRAT C2:
nicolework.ddns.net:6678 (194.35.114.170)

Intelligence

File Origin

# of uploads :

# of downloads :

959

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Noon

Status:

Malicious

First seen:

2020-06-02 17:19:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 31 (58.06%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jnrcnna2mohkjb3wzmjo2gxalmysy6qnpwcunqj4qdcmfybzzquq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

agilenet

Link:

https://tria.ge/reports/201109-9ft4z3dgv2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LimeRAT

zip a7b3ed7e382dc170703a1714b5ed00fcdcb3f46153263353f539689abcca9d27

LimeRAT

exe 4b6226b41a638ea48776cb12ed1ae05b312c7a0d7d8546c13c80c4c2e039cc29

(this sample)

Dropped by

MD5 aa73d24964d7ba5b61268e43c3973bf9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a7b3ed7e382dc170703a1714b5ed00fcdcb3f46153263353f539689abcca9d27

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample