MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
SHA3-384 hash: d2ff02ab115725e5c31b116bafe5833cd724c1adf2c8e70ac93c4b0474a00aaaba60aface328e002cad0456bde9f9e6d
SHA1 hash: b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
MD5 hash: f389bcaede3b4275e90f2d9ff0e50a57
humanhash: foxtrot-kilo-magnesium-november
File name:f389bcaede3b4275e90f2d9ff0e50a57
Download: download sample
Signature LimeRAT
Create hunting rule
File size:43'520 bytes
First seen:2021-10-21 15:10:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:gvlORuAap6iU68tDxf128x4wkFvxbRI2FTpmemTOxHW76TQv8fO8i:gvlOxM6iU60VVxBMvrJ/xHW7lD
Threatray 547 similar samples on MalwareBazaar
TLSH T1A2137C4233998636D2EE033FA9E2504523B0D3969662EB1E7AD912DD9C533530F533AF
Reporter zbetcheckin
Tags:32 exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
792
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199119/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.7507.22348.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching a process
Creating a file
Delayed writing of the file
Blocking the Windows Defender launch
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/61718307a9d585e6d5323210/reports/9b7e7c6d-4e3c-4ab0-888b-cc3024c497ad/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/453f0956-8e2b-4f81-898e-0cc57d317d14
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874683
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected LimeRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507108 Sample: l9rFKyBjJZ Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected UAC Bypass using CMSTP 2->76 78 6 other signatures 2->78 7 l9rFKyBjJZ.exe 23 9 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 66 cdn.discordapp.com 162.159.134.233, 443, 49746, 49747 CLOUDFLARENETUS United States 7->66 58 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->60 dropped 62 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->62 dropped 80 Creates autostart registry keys with suspicious names 7->80 82 Creates an autostart registry key pointing to binary in C:\Windows 7->82 84 Adds a directory exclusion to Windows Defender 7->84 86 Drops PE files with benign system names 7->86 18 WerFault.exe 7->18         started        21 AdvancedRun.exe 7->21         started        23 powershell.exe 26 7->23         started        29 4 other processes 7->29 68 162.159.129.233, 443, 49752, 49753 CLOUDFLARENETUS United States 12->68 88 System process connects to network (likely due to code injection or exploit) 12->88 90 Drops executables to the windows directory (C:\Windows) and starts them 12->90 31 4 other processes 12->31 70 162.159.133.233, 443, 49748, 49749 CLOUDFLARENETUS United States 14->70 25 powershell.exe 14->25         started        27 powershell.exe 14->27         started        33 3 other processes 14->33 92 Changes security center settings (notifications, updates, antivirus, firewall) 16->92 35 3 other processes 16->35 file5 signatures6 process7 file8 56 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->56 dropped 37 AdvancedRun.exe 21->37         started        40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        48 conhost.exe 29->48         started        50 conhost.exe 29->50         started        54 3 other processes 31->54 52 conhost.exe 33->52         started        process9 dnsIp10 64 192.168.2.1 unknown unknown 37->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 15:11:04 UTC
AV detection:
14 of 27 (51.85%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2ac91449fd255e02594e29de0f1c66c70fb0ba1af3dd87846ffe3e21503ffb4d
LimeRAT
36b46699b20b4ce357b902c256b8bd938898c79fd0894741173dc67843ec1700
LimeRAT
3866c650a1273493fa16bbd086f8ff0d9e4e57d9646857aace6bf7a32839a06d
LimeRAT
70cb4ed4ee85184589dc4b5bb72dd1313b133b428e6604bde1a7e1da7fb216ae
LimeRAT
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
LimeRAT
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
LimeRAT
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
LimeRAT
d642eb17671f269eddc3d1045845374a45eda0a7c3fd197d8b7f6a3355ba01d6
LimeRAT
dcb7cdefcf20a1e8320b1f4e89f0b8ba4e43062da33ba5a4c422cd7b0046630a
LimeRAT
dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7
LimeRAT
f14382a4d215270362d269bff86bbddf1ed085e20c36ae521e70ac85890e5179
LimeRAT
+ 537 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat evasion persistence rat trojan
Link:
https://tria.ge/reports/211021-skk4msbchn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
LimeRAT
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
MD5 hash:
f389bcaede3b4275e90f2d9ff0e50a57
SHA1 hash:
b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
Link:
https://www.unpac.me/results/ef20210b-8157-4f1e-b333-0bbc31ee4a4c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/46de87ee14fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe 46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1705448/
Cape
Cape
https://www.capesandbox.com/analysis/199119/

Comments


Avatar
zbet commented on 2021-10-21 15:10:16 UTC

url : hxxp://95.217.43.206/~globaltiam/fonts/Lato/new.exe