MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb
SHA3-384 hash: b997258dbcbafd5cfb1c2844fa902a362db61f325ed160b5bc4e6488f46ba69ddb090eef04f5aae729ea9004ab2b76db
SHA1 hash: 47c8771519cbd4b457cabfcf2fa875d469517b9f
MD5 hash: 1b5eb1128b75b15cc036cf563c0cad70
humanhash: chicken-alaska-sink-pennsylvania
File name:IMAGEN DETALLDA FOTO COMPARENDO ESTABLEDICO ACTA DE COMPARENDOS #2023-9996659-663201259-9659-JPG.vbs
Download: download sample
Signature LimeRAT
Create hunting rule
File size:218'704 bytes
First seen:2023-06-29 12:52:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:u5d6525555555e555555555555p55550uS555tE:D
Threatray 485 similar samples on MalwareBazaar
TLSH T1EA24811232E6112571B23B9DAFB2D1744B1BBB995A7E833D19FC250A0FE390084E57B7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter 0xToxin
Tags:APT-C-36 BlindEagle bogota2023-duckdns-org LimeRAT NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
IL IL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403766/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.7383.8136.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/649d7eaf313e9da61a5be1da/reports/22692c02-5314-4755-9e5a-62de46f17ac3/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb
Result
Verdict:
UNKNOWN
Result
Threat name:
Njrat, PasteDownloader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1263247
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Njrat
Yara detected PasteDownloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 896277 Sample: IMAGEN_DETALLDA_FOTO_COMPAR... Startdate: 29/06/2023 Architecture: WINDOWS Score: 100 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 12 other signatures 2->71 10 wscript.exe 1 2->10         started        13 powershell.exe 11 2->13         started        process3 signatures4 83 VBScript performs obfuscated calls to suspicious functions 10->83 85 Suspicious powershell command line found 10->85 87 Wscript starts Powershell (via cmd or directly) 10->87 15 powershell.exe 7 10->15         started        89 Wscript called in batch mode (surpress errors) 13->89 18 wscript.exe 1 13->18         started        20 conhost.exe 1 13->20         started        process5 signatures6 91 Suspicious powershell command line found 15->91 93 Found suspicious powershell code related to unpacking or dynamic code loading 15->93 95 Wscript called in batch mode (surpress errors) 15->95 22 powershell.exe 14 17 15->22         started        26 conhost.exe 15->26         started        97 Wscript starts Powershell (via cmd or directly) 18->97 28 powershell.exe 7 18->28         started        process7 dnsIp8 51 pastebin.com 104.20.67.143, 443, 49715, 49717 CLOUDFLARENETUS United States 22->51 53 wtools.io 104.21.6.247, 443, 49718, 49724 CLOUDFLARENETUS United States 22->53 55 2 other IPs or domains 22->55 77 Writes to foreign memory regions 22->77 79 Injects a PE file into a foreign processes 22->79 30 InstallUtil.exe 2 2 22->30         started        33 powershell.exe 13 22->33         started        81 Suspicious powershell command line found 28->81 36 powershell.exe 15 28->36         started        39 conhost.exe 28->39         started        signatures9 process10 dnsIp11 57 bogota2023.duckdns.org 46.246.6.11, 1111, 49720, 49726 PORTLANEwwwportlanecomSE Sweden 30->57 41 cmd.exe 30->41         started        49 IMAGEN_DETALLDA_FO...201259-9659-JPG.vbs, Unicode 33->49 dropped 59 188.114.96.7, 443, 49722 CLOUDFLARENETUS European Union 36->59 61 104.20.68.143, 443, 49721, 49723 CLOUDFLARENETUS United States 36->61 63 4 other IPs or domains 36->63 73 Writes to foreign memory regions 36->73 75 Injects a PE file into a foreign processes 36->75 43 powershell.exe 36->43         started        45 InstallUtil.exe 36->45         started        file12 signatures13 process14 process15 47 conhost.exe 41->47         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-29 12:53:05 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=inskmdgf64bzujcsqrjgqbsiqugxwp2djqsysli3hnpfvikitd5q._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
12e9242c40c20b40705862e8a09df9fc1f99f884f1899bebfe25310f9903a912
LimeRAT
65439e1ba65950fc678c09e45679444e67d02ace8bb4fbb6f7ac4dc1d12138e9
LimeRAT
77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1
LimeRAT
888dc17f63eb7b61713327994a126c3ce5ca2b69e2643c8f6b7caa34235e972f
LimeRAT
b3bf0d040723a646920394e69b341d5f686bdbee4f5ac2c7e62b5e919b1c8bef
LimeRAT
d1ad6abb5feb3bbd44fb42596c68273d2dfbf0d73516c0bc720d7e67a81e5670
LimeRAT
ddbf87c038a937be2bd32363fb8f00b6dba1da698312ea5d989c02e0e727671c
LimeRAT
f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5
LimeRAT
+ 475 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat trojan
Link:
https://tria.ge/reports/230629-p4l89sdh4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Blocklisted process makes network request
njRAT/Bladabindi
Malware Config
C2 Extraction:
bogota2023.duckdns.org:1111
Dropper Extraction:
https://pastebin.com/raw/dstpKjTz
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4364a60cc5f7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
LimeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403766/

Comments