MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
SHA3-384 hash: 3a6586f558c0c7cca9fc263da2f5abf600ba3f5d0dd03e3046709d47a6bdc59a3806b7f40a3ffc0c93066f5ec9f27cdd
SHA1 hash: 6763106ffdc12cf213f579f72c1c6e8f3272fa9c
MD5 hash: eb9e4955edda276425933aea122f9a84
humanhash: east-hawaii-pizza-uncle
File name:eb9e4955edda276425933aea122f9a84.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:48'640 bytes
First seen:2022-09-14 23:35:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7045005ef4130348fa4cbfc30a6f9d04 (1 x LimeRAT, 1 x MimiKatz, 1 x DiskWriter)
ssdeep 768:e7DiMIvhyqeFRKUKPl2+Vf7lWDVkUmg1/oRxf0IbvDOPbPlEnNFqoBc:KiMdzgdoEfskV8Of9bvDI7GDlBc
Threatray 128 similar samples on MalwareBazaar
TLSH T1C523F1A7A074F5F9E0211CF90BD44C8AF9E7B543176557EB40BD63BC8EEA7A0205B482
TrID 56.1% (.EXE) UPX compressed Win64 Executable (70117/5/12)
21.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
13.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
13.229.238.144:19532

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
13.229.238.144:19532 https://threatfox.abuse.ch/ioc/849796/

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6.exe
Verdict:
Malicious activity
Analysis date:
2022-08-15 05:19:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ca522eb7-2c11-41a7-a7a2-1aed28b116be

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310108/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.30931.14900.12745.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Launching a tool to kill processes
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37672/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
diztakun packed shell32.dll
Link:
https://www.filescan.io/uploads/632265a1b564f001cc87cc18/reports/1eee90f4-623e-4158-9f43-ce41564cb53b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/815123de-51f6-4bf2-a91e-e59b195d38d5
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070599
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Disables the Windows task manager (taskmgr)
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Yara detected BatToExe compiled binary
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 703141 Sample: IrTwVqhCXg.exe Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 61 v2pando8k.hopto.org 2->61 63 v2pando8k.ddns.net 2->63 65 11 other IPs or domains 2->65 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for URL or domain 2->87 89 Antivirus detection for dropped file 2->89 91 12 other signatures 2->91 11 IrTwVqhCXg.exe 6 2->11         started        signatures3 process4 process5 13 cmd.exe 3 11->13         started        signatures6 99 Uses cmd line tools excessively to alter registry or file data 13->99 16 IE.exe 15 13->16         started        20 certutil.exe 18 13->20         started        23 certutil.exe 18 13->23         started        25 10 other processes 13->25 process7 dnsIp8 43 C:\Users\user\AppData\Local\...\winupdate.exe, PE32+ 16->43 dropped 45 C:\Users\user\AppData\...\windowsapp.exe, PE32 16->45 dropped 47 C:\Users\user\AppData\Local\Temp\...\lirb.com, PE32 16->47 dropped 55 2 other malicious files 16->55 dropped 71 Multi AV Scanner detection for dropped file 16->71 73 Machine Learning detection for dropped file 16->73 75 Drops PE files with a suspicious file extension 16->75 27 windowsapp.exe 16->27         started        67 52.77.214.77, 49726, 49730, 49759 AMAZON-02US United States 20->67 49 C:\Users\user\AppData\Local\Temp\IE.exe, PE32 20->49 dropped 51 C:\Users\user\AppData\Local\...\IE[1].exe, PE32 20->51 dropped 53 C:\Users\...\5E0FEB0CD2091970E7F568DD0BEE842F, PE32 20->53 dropped 77 System process connects to network (likely due to code injection or exploit) 20->77 69 pastebin.com 172.67.34.170, 443, 49720, 49721 CLOUDFLARENETUS United States 25->69 79 Disables the Windows task manager (taskmgr) 25->79 file9 signatures10 process11 signatures12 93 Antivirus detection for dropped file 27->93 95 Multi AV Scanner detection for dropped file 27->95 97 Machine Learning detection for dropped file 27->97 30 cmd.exe 27->30         started        process13 signatures14 101 Uses cmd line tools excessively to alter registry or file data 30->101 33 lirb.com 30->33         started        37 irom.com 30->37         started        39 conhost.exe 30->39         started        41 13 other processes 30->41 process15 file16 57 C:\Users\user\AppData\...\winlogon.exe, PE32 33->57 dropped 81 Multi AV Scanner detection for dropped file 33->81 83 Machine Learning detection for dropped file 33->83 59 C:\Users\user\AppData\Roaming\...\main.vbs, UTF-8 37->59 dropped signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6/
Threat name:
Win64.Trojan.Diztakun
Create hunting rule
Status:
Malicious
First seen:
2022-08-02 05:38:28 UTC
File Type:
PE+ (Exe)
Extracted files:
3
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oumame4jj2ztiuyzzqqh2ztirzjbsa22axux2mykeol5khgds7da._file
Verdict:
malicious
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
LimeRAT
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
LimeRAT
467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
LimeRAT
591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6
LimeRAT
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
LimeRAT
8e3b8f65024af32a030d39ff2c8cf2283c4e5bb7904f0792e73703e53181f553
LimeRAT
ce349034ea5373d13d5fa3adaf34a3ecffff799fe9044d4a2c98bd8a16f0e9ed
LimeRAT
+ 118 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:xmrig evasion miner persistence rat upx
Link:
https://tria.ge/reports/220914-3lj8vafcfr/
Behaviour
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Adds policy Run key to start application
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
UPX packed file
XMRig Miner payload
LimeRAT
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cf9b1ddb-f183-459d-b142-3522eedbcffd
Unpacked files
SH256 hash:
8be07d5127dd770a9ddb1a523a2b59098b6f20f4ea72c293c31df939522cf9e5
MD5 hash:
2d264f929c61d482c1846bcf7542e7a0
SHA1 hash:
ed1898b19a1667aac8cba61b89670fe0d50a371c
Link:
https://www.unpac.me/results/6cf271eb-57e2-4f7e-99fa-1d83bdfd33a0/
SH256 hash:
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
MD5 hash:
eb9e4955edda276425933aea122f9a84
SHA1 hash:
6763106ffdc12cf213f579f72c1c6e8f3272fa9c
Link:
https://www.unpac.me/results/6cf271eb-57e2-4f7e-99fa-1d83bdfd33a0/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/75180613894e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310108/

Comments