MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7952bdc31aff90112f8b774602374bec264496134716b132cfbc832107fd15fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7952bdc31aff90112f8b774602374bec264496134716b132cfbc832107fd15fe
SHA3-384 hash: e700bbb1217e648fc0a3281309af20afc661dc0c4fd4200f8cb78eab70a20f696e6c78edf0269567abdcd6e37cd291f4
SHA1 hash: 217820a3d1c1b03d38acd760590e8c2db42ed553
MD5 hash: 09dfe85d9588103e101da96351845073
humanhash: delaware-april-double-saturn
File name:bp.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:159'424 bytes
First seen:2020-08-19 14:23:55 UTC
Last seen:2020-08-19 14:45:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:Dht6sYlB2+GBER/BDSscD4aJlmJaAyriytk6+5rRLIduvWnPwcsLbPft4Tl+4Q/c:Ft6sYlB2+GBER/BDSscD4aJlmJaAyrig
Threatray 15 similar samples on MalwareBazaar
TLSH F1F39807B6807211C2A9317D83E6AC5D33B8A5FF4BA1800DDF467B9EED425E26C5C6C9
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
Malspam distributing LimeRAT:

HELO: box.officiialsupport.net
Sending IP: 134.209.80.221
From: Power and water corporation <services@officiialsupport.net>
Subject: Water bill
Attachment: Invoice.xlsm

LimeRAT payload URLs:
http://supofficemainlivedsributionsproceed.duckdns.org/bp.exe
https://pastebin.com/raw/P2Re0BdB

LimeRAT C2:
103.153.79.45:5959

Intelligence

File Origin
# of uploads :
2
# of downloads :
937
Origin country :
n/a
Vendor Threat Intelligence
Detection:
LimeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48628/
Detection(s):
SecuriteInfo.com.Artemis09DFE85D9588.22674.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/438469
Signature
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7952bdc31aff90112f8b774602374bec264496134716b132cfbc832107fd15fe/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:18:45 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pfjl3qy276ibcl4lo5daen2l5qtejfqti4llcmwpxsbscb75cx7a._file
Verdict:
malicious
Similar samples:
258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e
LimeRAT
2fbbe88ec8eff9ff1b939dd340ebb0fe74e60abf958f55b7044ad87dc426cd08
LimeRAT
3dff78186451d97e6c3403b885ffb148cc7130b2b787b915041c7363feb74c68
LimeRAT
4b6226b41a638ea48776cb12ed1ae05b312c7a0d7d8546c13c80c4c2e039cc29
LimeRAT
640c6f9d631ba2de61496a6542cd25ff15bb7e90359a269aafc6934016c12fa8
LimeRAT
6fe8005b1469268e2edc5e10ee3b4b79ffe26c351d13313f8da14ef38db3d83d
LimeRAT
843097123a40e1442b2f08ce9c77ebc909a3e77e1ea3b6f21981a579ab2ea9be
LimeRAT
8a31c332dfb8714bc0c66300102fa84ee54a4027ed40e2c7082957abb431c34e
LimeRAT
99b68453c0fe9b7440b10cbc6a839d8046819ae73a2ef9ca5b712e655e1416f7
LimeRAT
e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14
LimeRAT
+ 5 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
rat family:limerat
Link:
https://tria.ge/reports/200819-ly1yxfyp4a/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
LimeRAT
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7952bdc31aff90112f8b774602374bec264496134716b132cfbc832107fd15fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LimeRAT

Excel file xlsm c12ce1a73f6ab3029d1286de66751e079068e64bfc56f0652c8e19dd8c45e350

LimeRAT

Executable exe 7952bdc31aff90112f8b774602374bec264496134716b132cfbc832107fd15fe

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/436624/
  
Dropped by
MD5 c6d010d13e2f82f180b7f3cfdbd1dde0
  
Dropped by
SHA256 c12ce1a73f6ab3029d1286de66751e079068e64bfc56f0652c8e19dd8c45e350
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/48628/

Comments