MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
SHA3-384 hash: 9442995df2bdf1cbd890218738f7d962a88bfab63d918aadb647f4605af26689fe142fe93dab862d841078e35b578dc7
SHA1 hash: 7215c5f8a21e715d932908aa4c640333afac5f1c
MD5 hash: 018f06156f16a08a4689179458972941
humanhash: whiskey-wyoming-colorado-india
File name:56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:110'592 bytes
First seen:2022-09-17 16:25:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:4siUbw3GIz12qSfX10gzg8wZ29iFparpaaWruERzxaiEacrMtAs8UqDC4RaVRtmy:Jq3GIz12qSfX10gzg8wZ29iFparpaaWM
Threatray 207 similar samples on MalwareBazaar
TLSH T13DB3FD6CE254AE8EDF0E39F1CC691298FA5860A13BA190A4ABFC0C153F56CED41D457F
TrID 48.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.6% (.SCR) Windows screen saver (13101/52/3)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
13.229.238.144:11069

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
13.229.238.144:11069 https://threatfox.abuse.ch/ioc/850228/

Intelligence

File Origin
# of uploads :
1
# of downloads :
472
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
limerat
Create hunting rule
ID:
1
File name:
56464850801241284AE026A58BF65CF22D5B7F0800A10.exe
Verdict:
Malicious activity
Analysis date:
2022-09-17 16:27:08 UTC
Tags:
trojan limerat rat
Link:
https://app.any.run/tasks/c498c26b-6c02-48fe-8876-2685b04390f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310962/
Detection(s):
Win.Malware.Barys-6836745-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/882abc74-630b-446b-8ca3-83aeeb0fb291
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072290
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates multiple autostart registry keys
Drops PE files with benign system names
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (has network functionality)
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: LimeRAT
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Shell Script Host drops VBS files
Yara detected Generic Downloader
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 704832 Sample: 56464850801241284AE026A58BF... Startdate: 17/09/2022 Architecture: WINDOWS Score: 100 70 rinot972.viewdns.net 2->70 72 ut8apha9.servepics.com 2->72 74 85 other IPs or domains 2->74 90 Snort IDS alert for network traffic 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Malicious sample detected (through community Yara rule) 2->94 98 18 other signatures 2->98 9 56464850801241284AE026A58BF65CF22D5B7F0800A10.exe 3 7 2->9         started        13 wscript.exe 2->13         started        15 wscript.exe 2->15         started        17 6 other processes 2->17 signatures3 96 System process connects to network (likely due to code injection or exploit) 72->96 process4 file5 60 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\Roaming\t.vbs, ASCII 9->62 dropped 64 56464850801241284A...5B7F0800A10.exe.log, ASCII 9->64 dropped 118 Potential malicious VBS script found (has network functionality) 9->118 120 Drops PE files with benign system names 9->120 19 svchost.exe 4 9->19         started        23 wscript.exe 3 3 9->23         started        25 wscript.exe 3 3 9->25         started        27 wscript.exe 13->27         started        signatures6 process7 file8 50 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 19->50 dropped 100 Antivirus detection for dropped file 19->100 102 Multi AV Scanner detection for dropped file 19->102 104 Machine Learning detection for dropped file 19->104 114 4 other signatures 19->114 29 svchost.exe 19->29         started        34 schtasks.exe 19->34         started        52 C:\Users\user\AppData\Roaming\...\t.vbs, ASCII 23->52 dropped 54 C:\Users\user\AppData\Local\Temp\t.vbs, ASCII 23->54 dropped 106 System process connects to network (likely due to code injection or exploit) 23->106 108 Potential malicious VBS script found (has network functionality) 23->108 110 Windows Shell Script Host drops VBS files 23->110 116 2 other signatures 23->116 36 wscript.exe 8 23->36         started        56 C:\Users\user\AppData\Roaming\...\z.vbs, UTF-8 25->56 dropped 58 C:\Users\user\AppData\Local\Temp\z.vbs, UTF-8 25->58 dropped 112 Creates multiple autostart registry keys 25->112 38 wscript.exe 8 25->38         started        signatures9 process10 dnsIp11 84 2 other IPs or domains 29->84 66 C:\Users\user\AppData\...\Interop.Shell32.dll, PE32 29->66 dropped 68 C:\Users\user\AppData\Roaming\...\IconLib.dll, PE32 29->68 dropped 122 Antivirus detection for dropped file 29->122 124 System process connects to network (likely due to code injection or exploit) 29->124 126 Multi AV Scanner detection for dropped file 29->126 128 3 other signatures 29->128 40 MSBuild.exe 29->40         started        42 MSBuild.exe 29->42         started        44 MSBuild.exe 29->44         started        46 MSBuild.exe 29->46         started        48 conhost.exe 34->48         started        76 rinot972.viewdns.net 36->76 78 rinot972.sytes.net 36->78 86 65 other IPs or domains 36->86 80 rinot972.sytes.net 38->80 82 rinot972.servequake.com 38->82 88 52 other IPs or domains 38->88 file12 signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9/
Threat name:
ByteCode-MSIL.Backdoor.LimeRAT
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 18:36:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
28 of 40 (70.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzdequeacjasqsxae2syx5s46iwvw7yiacqqld6ijtlialhtu7eq._file
Verdict:
malicious
Similar samples:
258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e
LimeRAT
25c6683580fed956729b416652583cae152d42d952cacfbfd4b4568850882a6b
LimeRAT
4e658159df74c5e24e1548f5304b1bc881f7986bf43fb687c07e8f5fb531108d
LimeRAT
510ea584db86799bd496b62e6c3da72c9f01b19527da0496ac6bf9f1ecd1733a
LimeRAT
ab2c8fb5e140567a6e8e55c89138d5faa0ef5e6f2731be3c30561a8ce9e43d29
LimeRAT
af14ffe4c3aa39dd8b219ca3cf1757492183c5ac069b507a1d36bb4430057582
LimeRAT
c84782e66c1a3f6ce2982375014caf93e1a60ddeb56c8c1a1a7e5e4ddcdd89c3
LimeRAT
e513eb020887dd56e85e55803b1afccb24ae116380947993da2e88a71e97be14
LimeRAT
f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0
LimeRAT
+ 197 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:xmrig evasion miner persistence rat upx
Link:
https://tria.ge/reports/220917-txh1gsaad5/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
UPX packed file
XMRig Miner payload
LimeRAT
xmrig
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3deb4586-40aa-465c-8cf6-d460c65a6292
Unpacked files
SH256 hash:
56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9
MD5 hash:
018f06156f16a08a4689179458972941
SHA1 hash:
7215c5f8a21e715d932908aa4c640333afac5f1c
Detections:
win_houdini_a1
Create hunting rule
Link:
https://www.unpac.me/results/301080d8-a21c-4e1e-b861-78a432bbc546/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56464850801241284ae026a58bf65cf22d5b7f0800a1058fc84cd6802cf3a7c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_limerat_j1_00cfd931
Create hunting rule
Author:Johannes Bader
Description:detects the lime rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310962/

Comments