MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6
SHA3-384 hash: e175033e54d43aa5f219921c7f168038fd87d8128edaa570413d8321d8a5e49908baa46322fd872d69ca5d837c4e1490
SHA1 hash: db3abd469ffce07b0c456b87c22707030a823de8
MD5 hash: c7071cbc7012b43e2e407c9b5a5726bd
humanhash: robert-colorado-michigan-king
File name:c7071cbc7012b43e2e407c9b5a5726bd.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:449'724 bytes
First seen:2022-08-13 06:08:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:lToPWBv/cpGrU3y4dDGjXt2GMk6Q2pnscEn:lTbBv5rUFDGjtNMk6QnZn
Threatray 457 similar samples on MalwareBazaar
TLSH T1F1A4E002BAC188B2D5B31D725A796B11A93DBD201F65CEDF73C01A6DDA325C0D731BA2
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c070cc9cfecde976 (4 x LimeRAT, 3 x CoinMiner)
Reporter abuse_ch
Tags:exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7071cbc7012b43e2e407c9b5a5726bd.exe
Verdict:
Malicious activity
Analysis date:
2022-08-13 06:11:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/470c5679-125b-4c39-b76f-3a299b1acb46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LimeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/298330/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Launching a tool to kill processes
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28831/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62f73fe0c8022caa1abd3bf2/reports/756164b9-e7db-49a4-8bc5-c3eab6e6690f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54968031-6004-4ff5-b0ae-f58640013691
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1050876
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops VBS files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Shell Script Host drops VBS files
Yara detected BatToExe compiled binary
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683386 Sample: ge3kVWxRQX.exe Startdate: 13/08/2022 Architecture: WINDOWS Score: 100 65 mac0s23arch.serveirc.com 2->65 67 ball0t3l11.viewdns.net 2->67 69 89 other IPs or domains 2->69 95 Snort IDS alert for network traffic 2->95 97 Malicious sample detected (through community Yara rule) 2->97 99 Antivirus detection for URL or domain 2->99 105 16 other signatures 2->105 11 ge3kVWxRQX.exe 15 2->11         started        14 wscript.exe 2->14         started        signatures3 101 System process connects to network (likely due to code injection or exploit) 65->101 103 Tries to resolve many domain names, but no domain seems valid 67->103 process4 file5 55 C:\Users\user\AppData\Local\...\winupdate.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\winlogon.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\...\windowsapp.exe, PE32 11->59 dropped 61 2 other malicious files 11->61 dropped 16 windowsapp.exe 6 11->16         started        process6 signatures7 85 Antivirus detection for dropped file 16->85 87 Multi AV Scanner detection for dropped file 16->87 89 Machine Learning detection for dropped file 16->89 19 cmd.exe 3 10 16->19         started        process8 signatures9 107 Uses cmd line tools excessively to alter registry or file data 19->107 22 winlogon.exe 19->22         started        26 wscript.exe 19->26         started        29 wscript.exe 19->29         started        31 29 other processes 19->31 process10 dnsIp11 43 C:\Users\user\AppData\...\winlogon.exe, PE32 22->43 dropped 109 Antivirus detection for dropped file 22->109 111 Multi AV Scanner detection for dropped file 22->111 113 Machine Learning detection for dropped file 22->113 131 3 other signatures 22->131 33 winlogon.exe 22->33         started        37 schtasks.exe 22->37         started        71 ukseca8425.webhop.me 26->71 73 ukseca8425.viewdns.net 26->73 79 49 other IPs or domains 26->79 45 C:\Users\user\AppData\Roaming\...\backup.vbs, UTF-8 26->45 dropped 115 System process connects to network (likely due to code injection or exploit) 26->115 117 Windows Shell Script Host drops VBS files 26->117 119 Drops VBS files to the startup folder 26->119 121 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 26->121 75 v2pando8k.zapto.org 29->75 77 v2pando8k.viewdns.net 29->77 81 32 other IPs or domains 29->81 47 C:\Users\user\AppData\Roaming\...\main.vbs, UTF-8 29->47 dropped 123 Creates multiple autostart registry keys 29->123 83 3 other IPs or domains 31->83 49 C:\Users\user\AppData\...\Microsoft.exe, PE32+ 31->49 dropped 51 C:\Users\user\AppData\...\winupdate.exe, PE32+ 31->51 dropped 53 C:\Users\user\AppData\Roaming\...\main.vbs, UTF-8 31->53 dropped 125 Drops PE files to the startup folder 31->125 127 Creates an autostart registry key pointing to binary in C:\Windows 31->127 129 Disables the Windows task manager (taskmgr) 31->129 39 Conhost.exe 31->39         started        file12 signatures13 process14 dnsIp15 63 pastebin.com 33->63 91 Protects its processes via BreakOnTermination flag 33->91 41 conhost.exe 37->41         started        signatures16 93 System process connects to network (likely due to code injection or exploit) 63->93 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6/
Threat name:
Win32.Backdoor.LimeRAT
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 05:38:28 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lencsbw4zaroae3xgktjhdyozbeip25v6e2sj6b34f45qapujk3a._file
Verdict:
malicious
Similar samples:
0fbf811ae93abb614c13af884bd61a8408948d7a2fe3846641e737b49850b4da
LimeRAT
35b37b30779ff09b08ee04b1a284ec172dbf9767bd6afac8ade45ac09fe186b7
LimeRAT
3b4357ccbe5c7ec75510c453b4b191cf5f076babbf645938d4584ba9bc532e19
LimeRAT
4fc7f1f57853c21506349c98a90fce183a1e68509ea78fbea79e22c13bec4ad2
LimeRAT
5c5894b293a7ea612ffea6f5705fcee4f1e337693c908a36b8c0d523e5cae05d
LimeRAT
988fcf62c41a39cc6a59697c65be84119b52e7b73365064250fe1746b8f88b2b
LimeRAT
e10a201d8b7cb09109715199c099ef24618f50fe09d3c1c6e7abbab79a59d94b
LimeRAT
e51d5a34e88b31078df596dfc8a162c2cd2a0d4e3d3e8228301e3cec9f88d22c
LimeRAT
+ 447 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:xmrig evasion miner persistence rat upx
Link:
https://tria.ge/reports/220813-gwfshsedfq/
Behaviour
Creates scheduled task(s)
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Adds policy Run key to start application
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
UPX packed file
XMRig Miner payload
LimeRAT
xmrig
Unpacked files
SH256 hash:
591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6
MD5 hash:
c7071cbc7012b43e2e407c9b5a5726bd
SHA1 hash:
db3abd469ffce07b0c456b87c22707030a823de8
Link:
https://www.unpac.me/results/17848672-2aae-42e7-89ab-b869e58b7eed/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/591a2906dcc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_koadic_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.koadic.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298330/

Comments