MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0992a4d0ec2f14a98c9ad100776de019dd99d1054ca4cb1e528cd25c16c32c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0992a4d0ec2f14a98c9ad100776de019dd99d1054ca4cb1e528cd25c16c32c20
SHA3-384 hash: 3a6749567ba0745e88b6ba03d4b0e6fa46a2e5836326c9d64942bbfa6209c978a54d3062580051ade41f03a70fbe4805
SHA1 hash: cbebc02db1973167a1fd05d015f1c4813a10930e
MD5 hash: 6342e5060369d9be13867a74d94d2504
humanhash: monkey-ceiling-pasta-michigan
File name:6342E5060369D9BE13867A74D94D2504.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:218'624 bytes
First seen:2021-07-15 17:15:50 UTC
Last seen:2021-07-15 17:47:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 384:hXfX7njloffZDaNFxvk2KFrPevqxc89AoLrs6Ydu1HnRhhDXB6NWq2319SIsRhSc:NXdvNIpcDoL43u1HnRhhDUWbdU
Threatray 95 similar samples on MalwareBazaar
TLSH T159245115FE4A01D9CAB33737F65AE15C02F22EA995229A0746927CC3F94345A4B83F78
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
185.185.25.179:8989

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.185.25.179:8989 https://threatfox.abuse.ch/ioc/160686/

Intelligence

File Origin
# of uploads :
2
# of downloads :
965
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172053/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.21246.26264.1864.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5b60c53-009f-41b8-991b-cc656660a2d0
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/817084
Signature
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0992a4d0ec2f14a98c9ad100776de019dd99d1054ca4cb1e528cd25c16c32c20/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 23:08:59 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgjkjuhmf4kktde22eaho3padhoztuifjssmwhssrtjfyfwdfqqa._file
Verdict:
malicious
Similar samples:
0c0df00ca734c3095b574528532615545f7a357c2d589eee5f463bd8ca90da61
LimeRAT
234e3317d58b6b4c671932800d37983a6565ad868d5b006145df81f6625dc2dc
LimeRAT
258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e
LimeRAT
4adcc73ce3501f990fc95bfb0ebca1a4ca61054b137a34c7bc9435cfdd2b7f6a
LimeRAT
510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a
LimeRAT
af14ffe4c3aa39dd8b219ca3cf1757492183c5ac069b507a1d36bb4430057582
LimeRAT
bfe0370dad2b63b1ac752bbc05d524435e1747224daa68a584cb899e46d863ed
LimeRAT
d0af68df07b9f56b092301f3a4cc7d3465ec03bd79943a2cc07e72eefe1c8d21
LimeRAT
e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14
LimeRAT
f65104f0852b7100789837a9a52099a876bc6279f7d2f0d9d74946326cfe915e
LimeRAT
+ 85 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/210715-t1n5eyhtej/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Executes dropped EXE
LimeRAT
Unpacked files
SH256 hash:
0992a4d0ec2f14a98c9ad100776de019dd99d1054ca4cb1e528cd25c16c32c20
MD5 hash:
6342e5060369d9be13867a74d94d2504
SHA1 hash:
cbebc02db1973167a1fd05d015f1c4813a10930e
Link:
https://www.unpac.me/results/0acbe253-525f-4c10-9588-0a5fd122da2c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/0992a4d0ec2f14a98c9ad100776de019dd99d1054ca4cb1e528cd25c16c32c20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172053/

Comments