MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7
SHA3-384 hash: 0b3040e2abfb5d84f5b43e0a1506f61e3c3b4f02397d4f6e456b62f97d6f3898c1aa9af70b1dae2516aa8d844726a4b2
SHA1 hash: e7faaf6695ac2c30dbda38e576e6f50eaa04127a
MD5 hash: 90091c8c9c69b12fe47cee45e5090bf9
humanhash: diet-summer-delta-artist
File name:90091c8c9c69b12fe47cee45e5090bf9.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:1'180'160 bytes
First seen:2021-07-29 13:25:51 UTC
Last seen:2021-07-29 13:45:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:e4S/d3uKzksuksSmmRBhZfyrBvEiomcy8jh8N6ZNXZ:dKLmCZMBvEirc+N6ZNX
Threatray 101 similar samples on MalwareBazaar
TLSH T1F245D024C98C9FA6CC1C03740AA446385EF5ADE2F270D8AC3D8D75B177F191AEAB6345
dhash icon c4b4e6e69898d2c4 (11 x Formbook, 11 x AgentTesla, 4 x NanoCore)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
79.134.225.16:5657

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.16:5657 https://threatfox.abuse.ch/ioc/163785/

Intelligence

File Origin
# of uploads :
2
# of downloads :
889
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vbc.exe
Verdict:
Malicious activity
Analysis date:
2021-07-29 12:12:28 UTC
Tags:
trojan limerat rat
Link:
https://app.any.run/tasks/4f5cd5a8-795d-4e4c-bded-c4691c1fb847

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175034/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967.2809.26518.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e3b8e87a-9240-43c3-b4e0-320099ad45c8
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823841
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 08:52:04 UTC
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pwiazbbcfaleurima4futw3rocpxhkvzp5kicz7hs5bpkbpc5xdq._file
Verdict:
malicious
Similar samples:
00d52b668be725580bf1233a8bc805f62831f96ca8f7cf50807cd3481727981a
LimeRAT
1af0cf5441051d2de05b123c9dfe4a5ebfd368cd6ad0e7ea0556b282c24d4d0f
LimeRAT
285643b564416a5b6f530cbbf6d5f1e9d35b4a20c73a0c141c436199b9bfef7b
LimeRAT
2a3c5d424e042d82f295aba4197bc052355cbea30b0fa9c419a1cd7fb6c2bc31
LimeRAT
4ad1b97726ab2997e005315ac60899acf31c96458d3c5c4137f2999d9fbabc83
LimeRAT
6b0f6ed4f13b5d6c7b973bd22941de1535ae580960940656b671f3b991c972a6
LimeRAT
8f6b4fb55d85a992dbcd03955041bad5d18ae8632369e9c540d742bb7b773b8e
LimeRAT
93986eac8652157b41ac4464bed7584c6b0c04a3fcdd8bcda47592df69fee3ba
LimeRAT
e13c26e3f597f9408603d053ee4e246995adf0973b96f7d0eabfadc9d63d52c3
LimeRAT
e4a221ce6089104f55075f2a249380c86d1bbcf8994e131db850bd2bd6dc73c3
LimeRAT
+ 91 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/210729-lfmyhxz8yj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
CustAttr .NET packer
LimeRAT
Unpacked files
SH256 hash:
8788bf60f6560484522f953237fea3062de9d130c6e26b6b2a41fd843949eb10
MD5 hash:
2fc04bfba237acc3b88be50ed9baaedb
SHA1 hash:
f48e79eed0bbe0c2df4b3355d54cd23c46d70bea
Link:
https://www.unpac.me/results/498fc36f-e9c3-49e8-8904-f57d2616c69b/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/498fc36f-e9c3-49e8-8904-f57d2616c69b/
SH256 hash:
cd24dce7db9b46680549fa0b774b58bdd8e8f78b30757886fa8e0c0d505fc0c9
MD5 hash:
be29d2fe9086dc34c255fc45b16d7a8c
SHA1 hash:
30bbeab63eca40dca0f94a40b4f935101985e0e5
Link:
https://www.unpac.me/results/498fc36f-e9c3-49e8-8904-f57d2616c69b/
SH256 hash:
7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7
MD5 hash:
90091c8c9c69b12fe47cee45e5090bf9
SHA1 hash:
e7faaf6695ac2c30dbda38e576e6f50eaa04127a
Link:
https://www.unpac.me/results/498fc36f-e9c3-49e8-8904-f57d2616c69b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe 7d900c842228164a450c070b49db71709f73aab97f548167e79742f505e2edc7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1489223/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175034/

Comments