MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a
SHA3-384 hash: 3d54c29d503c775b395221b83c8e872008ab0ed0abe1984056228978a681ce60861593c4099eb4960fec02308332d9c7
SHA1 hash: 81531f122b78626d8a28ff68e15e84336aa92a1b
MD5 hash: c35e51d525e66e7e59220c0620187710
humanhash: september-ack-stream-robin
File name:c35e51d525e66e7e59220c0620187710.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:837'632 bytes
First seen:2021-03-25 09:53:57 UTC
Last seen:2021-03-25 12:08:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:A/5mzlLGkU8p7PdZmebSIrc2Mc4/sQ1avm39fbVPTXAlfdgMjiA0074qncVi/sQM:iivZisQ1Cm3tJUlpjn0074qnc4/8XR
Threatray 565 similar samples on MalwareBazaar
TLSH 53052B9124E8DD91C421ACF8CC5BDFF237568DA38790D7E636BCE4792177B9AD00242A
Reporter abuse_ch
Tags:exe LimeRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
805
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c35e51d525e66e7e59220c0620187710.exe
Verdict:
Malicious activity
Analysis date:
2021-03-25 10:00:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f775d96a-7162-4de2-943c-0b31ff643ee5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisC35E51D525E6.2497.1631.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/653667
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 375775 Sample: rgGyG2iLnd.exe Startdate: 25/03/2021 Architecture: WINDOWS Score: 100 60 79.134.225.22, 49722, 49723, 49726 FINK-TELECOM-SERVICESCH Switzerland 2->60 62 pastebin.com 104.23.99.190, 443, 49721 CLOUDFLARENETUS United States 2->62 68 Multi AV Scanner detection for dropped file 2->68 70 Sigma detected: Scheduled temp file as task from temp location 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 10 rgGyG2iLnd.exe 7 2->10         started        14 698657.exe 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\Roaming\bmGpyIenY.exe, PE32 10->52 dropped 54 C:\Users\...\bmGpyIenY.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmpE963.tmp, XML 10->56 dropped 58 C:\Users\user\AppData\...\rgGyG2iLnd.exe.log, ASCII 10->58 dropped 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->76 78 Uses schtasks.exe or at.exe to add and modify task schedules 10->78 80 Adds a directory exclusion to Windows Defender 10->80 16 rgGyG2iLnd.exe 10->16         started        20 powershell.exe 24 10->20         started        22 powershell.exe 26 10->22         started        24 schtasks.exe 1 10->24         started        82 Multi AV Scanner detection for dropped file 14->82 84 Machine Learning detection for dropped file 14->84 86 Injects a PE file into a foreign processes 14->86 signatures6 process7 file8 50 C:\Users\user\AppData\Roaming\...\698657.exe, PE32 16->50 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->66 26 698657.exe 16->26         started        30 schtasks.exe 16->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        signatures9 process10 dnsIp11 64 192.168.2.1 unknown unknown 26->64 88 Adds a directory exclusion to Windows Defender 26->88 38 powershell.exe 26->38         started        40 schtasks.exe 26->40         started        42 powershell.exe 26->42         started        44 conhost.exe 30->44         started        46 conhost.exe 30->46         started        signatures12 process13 process14 48 conhost.exe 38->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kehklbg3qz4zxvewwyxgypnhfspqdmmve7najfvmnp47d3grom5a._file
Verdict:
malicious
Similar samples:
03f5b9544b3bb2db290e54dfe203f425374d973ac225df52a7cb29adc7998726
LimeRAT
1812bb921f5b81fdff4fa4975dd319eee7c773ca54acfd07a62c052aa34a57df
LimeRAT
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
LimeRAT
3fcfdfcf1b6e70b28e91b0f0899bd4a745265c9f0ed1963249aa9b2dab14bd68
LimeRAT
527263a08f7ed967a2ef04b5eb127dfe923afbde7eb71a7781206eabcf7b8c4c
LimeRAT
867ec49152a23a8e5ea628a48ec1810db588a716b922e6d1c8e7c45116908d24
LimeRAT
8a37e226e4756170421ab6a6667b6771049a7104e7b5b505562df8ba2d2171a1
LimeRAT
a730154eedce8c175f18e82c1102e01a7ee94fd74cbee7df85b473233ea764e6
LimeRAT
c5bfbac52396976e672116e5fb07d6cae05d2b07b749d08283a26bcf29677dbe
LimeRAT
e484dd89ca41783addc420ae8b28e965997644a1bd7a9af1485dc239f21e2ac6
LimeRAT
+ 555 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/210325-n556lth55s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Loads dropped DLL
Executes dropped EXE
LimeRAT
Unpacked files
SH256 hash:
c22b9993fd6abea236edcc1bf476bcd4a09015b4af09eedf660a43bf3d29a16f
MD5 hash:
1d1234ba19c430923b22f531bb19b369
SHA1 hash:
9868c1e97a3be16100a61b5ee1f7d2838b4782a8
Link:
https://www.unpac.me/results/d15fbf39-8175-4a79-9e5c-7466b1d539c6/
SH256 hash:
510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a
MD5 hash:
c35e51d525e66e7e59220c0620187710
SHA1 hash:
81531f122b78626d8a28ff68e15e84336aa92a1b
Link:
https://www.unpac.me/results/d15fbf39-8175-4a79-9e5c-7466b1d539c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe 510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1077478/
  
Delivery method
Distributed via web download

Comments