MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5
SHA3-384 hash: b81940074895c5995093f2ad5d84c32a2f4b7039fbc0d6c6c6caf8fe6aec544c4c6c597347aace16be00fc3c2d6e5b79
SHA1 hash: c860cf974d01307e4d911763523e76de06dfe2cf
MD5 hash: 738c5d7ddfc5adf5d66eecac740da118
humanhash: ohio-burger-fillet-wyoming
File name:Sorted Properties.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:477'288 bytes
First seen:2021-02-16 15:52:05 UTC
Last seen:2021-02-16 18:01:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:tWF2YFxDMAYloj1/L8YEAQwgG5h+BGCM0zBMO7bg1GpoybEdhIsBO8QfFB:tWRbDMAzjN4YEAFsGyB7bsWrEdqMQfFB
Threatray 131 similar samples on MalwareBazaar
TLSH 47A47B525298CC11D77D033406A40738A7BB3E97A968F2483F1975E43AB369F6F63227
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
worldwreck.ddns.net:15000

Intelligence

File Origin
# of uploads :
2
# of downloads :
648
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117375/
Detection(s):
SecuriteInfo.com.Artemis738C5D7DDFC5.31935.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609175
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353613 Sample: Sorted Properties.exe Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for dropped file 2->53 55 Yara detected AntiVM_3 2->55 57 Yara detected LimeRAT 2->57 59 6 other signatures 2->59 8 Sorted Properties.exe 15 7 2->8         started        process3 dnsIp4 51 192.168.2.1 unknown unknown 8->51 39 C:\Users\...\Microsoft Document Expert.exe, PE32 8->39 dropped 41 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->41 dropped 43 Microsoft Document...exe:Zone.Identifier, ASCII 8->43 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->65 13 Microsoft Document Expert.exe 14 5 8->13         started        17 cmd.exe 1 8->17         started        file5 signatures6 process7 file8 45 C:\Users\...\Microsoft Run TIme Proceses.exe, PE32 13->45 dropped 67 Writes to foreign memory regions 13->67 69 Allocates memory in foreign processes 13->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->71 73 Injects a PE file into a foreign processes 13->73 19 InstallUtil.exe 16 3 17->19         started        23 Microsoft Run TIme Proceses.exe 2 17->23         started        25 Microsoft Run TIme Proceses.exe 17->25         started        27 5 other processes 17->27 signatures9 process10 dnsIp11 47 worldwreck.ddns.net 68.235.38.38, 15000, 16000, 37963 TZULOUS United States 19->47 49 pastebin.com 104.23.98.190, 443, 49749 CLOUDFLARENETUS United States 19->49 61 Protects its processes via BreakOnTermination flag 19->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->63 29 Microsoft Run TIme Proceses.exe 23->29         started        31 Microsoft Run TIme Proceses.exe 25->31         started        33 Microsoft Run TIme Proceses.exe 27->33         started        35 Microsoft Run TIme Proceses.exe 27->35         started        37 Microsoft Run TIme Proceses.exe 27->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 15:53:05 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bghj4mdsnqazjq7iekb36lgs26w522icymvicn4bz2rvjyywak2q._file
Verdict:
malicious
Similar samples:
0820ffc8c51cbdef8773f5455348cb85bf9fd42c2f872bc0909734accbf27c13
LimeRAT
101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04
LimeRAT
13089dc94e2719723a0a73f4b193f2af29726d5cb2bea1aa86d5c832ba2822fc
LimeRAT
2f01970525500ba9024c7d2578ed317c6c8d51a482c15cf50506c862e9d18c35
LimeRAT
7107f4965f48165708f028a5541e4b945fb9fac1546c8a069752c2ad43065079
LimeRAT
87c4eaa0bd2c47960898cd39d92784c1aae78c2bd56562d1f67797eeab185f8e
LimeRAT
c549da8e701e70f541c7a4a651406aec910cda2587392f33d1ee0d5717439d99
LimeRAT
d21f7c6f8a4fbbb00973d1ed40f4c9ca33920aaca079b70ff298db4e74b56134
LimeRAT
ed21e9b47bc6e3343b98a6a69795c35c0b9ed34d9963a65e5df0afdcfdad9820
LimeRAT
f5aa4fe1049ed94dbf22ad1427013a30762ebd9ac2a89726f9f313b087e2a4a0
LimeRAT
+ 121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/210216-8lzsmyp4le/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Unpacked files
SH256 hash:
098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5
MD5 hash:
738c5d7ddfc5adf5d66eecac740da118
SHA1 hash:
c860cf974d01307e4d911763523e76de06dfe2cf
Link:
https://www.unpac.me/results/cd335cf9-da22-49f8-8049-96217c491295/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LimeRAT

Executable exe 098e9e30726c0194c3e82283bf2cd2d7addd6902c32a813781cea354e31602b5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117375/

Comments