MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8
SHA3-384 hash: 37a1276d5008c907500f373e9c48ed182490107f038e3443aa7fe77b36d8e69830921aba38a9b1ddc22556a71c3aaec2
SHA1 hash: 0861c8d70ff18b865c2c9660867ef890b37c2ab9
MD5 hash: 9b14bd5ca74e097f8f7859c079056589
humanhash: tango-mockingbird-bluebird-illinois
File name:7C804B99B58AC30B0A4715DFC795C88D835513E1CF64C.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:29'696 bytes
First seen:2022-04-27 22:36:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 768:ttA2gFuvqKrVCYhgQ1o+oVk8vm5Ua7qW3V2jy:fNgwvqKIYhgQGZOrOPj
Threatray 2'410 similar samples on MalwareBazaar
TLSH T19BD26C487BE1636CC1DC4AB50BA2616B0DB15E1B893BDB1F0CC874961B7B6C98B41BF1
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13101/52/3)
8.6% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
54.89.47.234:4782

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
54.89.47.234:4782 https://threatfox.abuse.ch/ioc/536961/

Intelligence

File Origin
# of uploads :
1
# of downloads :
669
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/267327/
Detection(s):
Win.Malware.Barys-6836745-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file
Creating a window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm barys coinminer greyware limerat obfuscated packed regasm.exe replace.exe schtasks.exe
Link:
https://www.filescan.io/uploads/6269c5900d3e2bd52d0d2c6f/reports/47b5c461-73f7-414a-b12a-89609e68901f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7ef845f3-4639-4d83-84b6-a7873f4b3209
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/984389
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 616885 Sample: 7C804B99B58AC30B0A4715DFC79... Startdate: 28/04/2022 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 13 other signatures 2->38 7 7C804B99B58AC30B0A4715DFC795C88D835513E1CF64C.exe 3 2->7         started        11 Windows Security Health Serviceexe.exe 20 7 2->11         started        process3 dnsIp4 20 C:\...\Windows Security Health Serviceexe.exe, PE32 7->20 dropped 22 7C804B99B58AC30B0A...5513E1CF64C.exe.log, ASCII 7->22 dropped 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->40 42 Uses schtasks.exe or at.exe to add and modify task schedules 7->42 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->44 14 schtasks.exe 1 7->14         started        16 Windows Security Health Serviceexe.exe 1 7->16         started        26 54.89.47.234, 4782, 49741 AMAZON-AESUS United States 11->26 28 pastebin.com 172.67.34.170, 443, 49740 CLOUDFLARENETUS United States 11->28 30 192.168.2.1 unknown unknown 11->30 24 C:\Users\user\AppData\Roaming\IconLib.dll, PE32 11->24 dropped 46 Protects its processes via BreakOnTermination flag 11->46 file5 signatures6 process7 process8 18 conhost.exe 14->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8/
Threat name:
ByteCode-MSIL.Backdoor.LimeRAT
Create hunting rule
Status:
Malicious
First seen:
2022-03-22 06:44:37 UTC
File Type:
PE (.Net Exe)
AV detection:
39 of 42 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=psaexgnvrlbqwcshcxp4pfoirwbvke7bz5smmugdkglws2hie2ua._file
Verdict:
malicious
Similar samples:
25c6683580fed956729b416652583cae152d42d952cacfbfd4b4568850882a6b
LimeRAT
2db5ed9ab6a2d81ca49933178f01d0e27455df3a113ba61e48dee0622a82a2c3
LimeRAT
4e86f84ad8430cadbfcd160b3efc18a81f24b027d3c3a35e96798bb8df06eabd
LimeRAT
57a08a9176c41262cf25a6294d7a1aebf712835eb5d64876846e1aae46d19b0d
LimeRAT
7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8
LimeRAT
a645b7b13ef04445fce49982d2eed6d8335ce0355a43e849909e14ea228588d8
LimeRAT
c2db825f5c24b3e27fba50ad8e93c2319526d65be85604b285faa7a92ff891a5
LimeRAT
d632c85338f64894158dcc17ee01ea7f4d338916ced96e1c1b572d843d15e1c1
LimeRAT
f46f42d48bccbc1ddf2758cac437b81e6d6c6d3e920d29ef2cbe627cc6a5f89f
LimeRAT
+ 2'400 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/220427-2jslrsafg7/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Executes dropped EXE
LimeRAT
Unpacked files
SH256 hash:
7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8
MD5 hash:
9b14bd5ca74e097f8f7859c079056589
SHA1 hash:
0861c8d70ff18b865c2c9660867ef890b37c2ab9
Link:
https://www.unpac.me/results/b706169a-f543-4c44-abd3-17de2565efe2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267327/

Comments