MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d
SHA3-384 hash: 9fbf20290566c8a8980bc2f20042151b23ac2162ab982f468c5db4380755a326cc56736e17eccfc474339b584b3f5f7a
SHA1 hash: b5fb38c347015a1cfb8ae0c02585baa5cc15a988
MD5 hash: ffd36e6fb0fc169f17d20cf2a80fce05
humanhash: uncle-quiet-alanine-tennis
File name:ffd36e6fb0fc169f17d20cf2a80fce05
Download: download sample
Signature LimeRAT
Create hunting rule
File size:872'960 bytes
First seen:2021-07-15 14:48:17 UTC
Last seen:2021-07-15 17:47:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:wbjg8Sa8fJN1I7y3Q6Jl5SHAA7NUxwIoWE:Gg8YBN1Ie3QC5WbNO
Threatray 2'114 similar samples on MalwareBazaar
TLSH T1A205E1213784BF8FCB3E4DB6D522181493E0C527220BE7967CE361DD158EA5987226FE
Reporter zbetcheckin
Tags:32 exe LimeRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
942
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ffd36e6fb0fc169f17d20cf2a80fce05
Verdict:
Malicious activity
Analysis date:
2021-07-15 14:51:38 UTC
Tags:
trojan limerat rat
Link:
https://app.any.run/tasks/fa0362b4-c5fd-42ba-999d-d41f702af3da

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
LimeRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172025/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17297.28534.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c55f3cfd-15b1-42f0-b0dc-1bd2f3e67f3f
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/816999
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 14:49:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3l5obconpvvskok3uxl7j5ddqzs3oapdhzkr2asnjhpr7avwzgq._file
Verdict:
malicious
Similar samples:
10adbd71341f29b48d9e0c0d89ce21e1cd8ffcd04898026e64b4a22d87a1d85e
LimeRAT
15008ec3816e2a10d985e9763ac5d64bbc70ddaee7dc0db5686dca17a466045d
LimeRAT
2352a7cd00ed5221c4b807670ca01f49f76beb5dea868d8db38b1fcc0e362c18
LimeRAT
29de5551fec97c48913146a38aaff2e78e6c244ab88174820efad94137b004b8
LimeRAT
79255c42f294568c0f78bc7afbd04c799cf752ea6f86cff304cce9058b093a90
LimeRAT
b3b54e5b4b3bbaec85cb89db4238cbb040b5f1a6edf4187c0801d338972a230a
LimeRAT
c2789581cd578f5d0d40e0d774ace1ac3ce93793b20d12eca3136a83e1d67ce2
LimeRAT
cc88bd3a08611e1f813dc1a9885ca7cee62e0c6fba330d9f8dad89f01e319b2b
LimeRAT
dc5458e66a8c76f55a5f490f5c9d12ea6e92a67c6ed74dbe40ca066a149d1659
LimeRAT
f65380b77182c188bd25712de5f3cb1448abd8e0c42d249aa6992aa38571d786
LimeRAT
+ 2'104 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/210715-23gldm7k32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
LimeRAT
Unpacked files
SH256 hash:
080ec31389e98315475adc11c61e26a83b5d6ea4182d1c8f8aeade77aac3acab
MD5 hash:
43088761d9c5c9e20810c3862310156e
SHA1 hash:
fc1d2202790156f89be68b28c9e646c6ba289aae
Link:
https://www.unpac.me/results/d88e6e2b-f5a4-4bbf-bf7e-c8cf9afada14/
SH256 hash:
82a4065578bf324c5a382d4e43510bfe37dc2d4accaa25792aecea77c7387714
MD5 hash:
ecff0ff8f308ad9a7ab4e8d8c6632f1f
SHA1 hash:
b2149cd8ad0767e9ee467d85f7f5d97494ecb07a
Link:
https://www.unpac.me/results/d88e6e2b-f5a4-4bbf-bf7e-c8cf9afada14/
SH256 hash:
76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d
MD5 hash:
ffd36e6fb0fc169f17d20cf2a80fce05
SHA1 hash:
b5fb38c347015a1cfb8ae0c02585baa5cc15a988
Link:
https://www.unpac.me/results/d88e6e2b-f5a4-4bbf-bf7e-c8cf9afada14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe 76d7d7044e6beb5929cadd2ebfa7a31c332db80f19f2a8e8126a4ef8fc15b64d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1456754/
Cape
Cape
https://www.capesandbox.com/analysis/172025/

Comments


Avatar
zbet commented on 2021-07-15 14:48:18 UTC

url : hxxp://198.12.91.134/cvc/vbc.exe