MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd
SHA3-384 hash: 8f464e346f1ea22b43190642922776f971e4e91b27fc2a5fcc588212f937c24b97cbe506a3edc08e0b0911c5e83bc059
SHA1 hash: 1115bc89c2b32ebe0897a0dfad12fb73b63d686c
MD5 hash: 59aa84cf2e843581002f74710e77dc9e
humanhash: princess-kansas-minnesota-mockingbird
File name:59aa84cf2e843581002f74710e77dc9e
Download: download sample
Signature LimeRAT
Create hunting rule
File size:458'193 bytes
First seen:2022-05-10 01:11:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:TOYGXaPNxdgSdcq2pVZPOJHAbKAxEygOlWlYf+/alZ2CMPxH4vgucCG:nGqN/XdctpVtkwxEyblH+QZ20mV
Threatray 1'638 similar samples on MalwareBazaar
TLSH T11DA4E002B6C6C872E4732A314939AB15AD7D7D201F34EA1FB3D4597DDA710C1A624BB3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c070cc9cfecde976 (4 x LimeRAT, 3 x CoinMiner)
Reporter zbetcheckin
Tags:32 exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
512
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
59aa84cf2e843581002f74710e77dc9e
Verdict:
Malicious activity
Analysis date:
2022-05-10 01:13:34 UTC
Tags:
loader
Link:
https://app.any.run/tasks/46e840e2-5267-499a-b89b-28f753fdd1bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2110.19075.28917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16867/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
coinminer greyware limerat overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe ursnif
Link:
https://www.filescan.io/uploads/6279bbf2b119a5f609b5c7e5/reports/1dc8ea78-7605-40a2-ae2b-9156fc660969/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82d99273-f639-4af8-86fb-750c0507d89c
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/990609
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with benign system names
Drops VBS files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Shell Script Host drops VBS files
Yara detected BatToExe compiled binary
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623105 Sample: hvWRyao1F9 Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 70 pastebin.com 2->70 72 ut8apha9.onthewifi.com 2->72 74 130 other IPs or domains 2->74 90 Snort IDS alert for network traffic 2->90 92 Found malware configuration 2->92 94 Malicious sample detected (through community Yara rule) 2->94 100 15 other signatures 2->100 10 hvWRyao1F9.exe 20 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        19 7 other processes 2->19 signatures3 96 System process connects to network (likely due to code injection or exploit) 70->96 98 Tries to resolve many domain names, but no domain seems valid 72->98 process4 dnsIp5 46 C:\Users\user\AppData\Local\...\winupdate.exe, PE32+ 10->46 dropped 48 C:\Users\user\AppData\Local\...\winlogins.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\...\windowsapp.exe, PE32 10->50 dropped 52 2 other malicious files 10->52 dropped 116 Drops PE files with benign system names 10->116 21 windowsapp.exe 6 10->21         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 14->118 68 127.0.0.1 unknown unknown 16->68 file6 signatures7 process8 signatures9 102 Antivirus detection for dropped file 21->102 104 Multi AV Scanner detection for dropped file 21->104 106 Machine Learning detection for dropped file 21->106 24 cmd.exe 3 11 21->24         started        process10 signatures11 114 Uses cmd line tools excessively to alter registry or file data 24->114 27 wscript.exe 24->27         started        31 winlogins.exe 24->31         started        33 wscript.exe 24->33         started        35 21 other processes 24->35 process12 dnsIp13 54 C:\Users\user\AppData\Roaming\...\z.vbs, UTF-8 27->54 dropped 56 C:\Users\user\AppData\Local\Temp\z.vbs, UTF-8 27->56 dropped 120 System process connects to network (likely due to code injection or exploit) 27->120 122 Windows Shell Script Host drops VBS files 27->122 124 Drops VBS files to the startup folder 27->124 38 wscript.exe 27->38         started        58 C:\Users\user\AppData\...\winlogins.exe, PE32 31->58 dropped 126 Antivirus detection for dropped file 31->126 128 Multi AV Scanner detection for dropped file 31->128 130 Machine Learning detection for dropped file 31->130 142 3 other signatures 31->142 42 schtasks.exe 31->42         started        60 C:\Users\user\AppData\Roaming\...\helps.vbs, UTF-8 33->60 dropped 62 C:\Users\user\AppData\Local\Temp\helps.vbs, UTF-8 33->62 dropped 132 Creates multiple autostart registry keys 33->132 44 wscript.exe 33->44         started        76 pastebin.com 172.67.34.170, 443, 49741, 49742 CLOUDFLARENETUS United States 35->76 64 C:\Users\user\AppData\...\Microsoft.exe, PE32+ 35->64 dropped 66 C:\Users\user\AppData\...\winupdate.exe, PE32+ 35->66 dropped 134 Drops PE files to the startup folder 35->134 136 Creates an autostart registry key pointing to binary in C:\Windows 35->136 138 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 35->138 140 Disables the Windows task manager (taskmgr) 35->140 file14 signatures15 process16 dnsIp17 78 rinot972.servepics.com 38->78 80 rinot972.myvnc.com 38->80 86 55 other IPs or domains 38->86 108 System process connects to network (likely due to code injection or exploit) 38->108 110 Windows Shell Script Host drops VBS files 38->110 82 ut8apha9.myvnc.com 44->82 84 muslada2251.zapto.org 44->84 88 53 other IPs or domains 44->88 signatures18 112 Tries to resolve many domain names, but no domain seems valid 82->112
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd/
Threat name:
Win32.Backdoor.LimeRAT
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 22:18:16 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
25c6683580fed956729b416652583cae152d42d952cacfbfd4b4568850882a6b
LimeRAT
4e658159df74c5e24e1548f5304b1bc881f7986bf43fb687c07e8f5fb531108d
LimeRAT
97b032f29e2966bd64a69ce27be337756c42041994c30f553f92a80e03eadbca
LimeRAT
af14ffe4c3aa39dd8b219ca3cf1757492183c5ac069b507a1d36bb4430057582
LimeRAT
cda57d12ed16414f52bfcfe2f3234d0fa5eb259aa20a59568cf040f6958047eb
LimeRAT
f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0
LimeRAT
+ 1'628 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:xmrig evasion miner persistence rat
Link:
https://tria.ge/reports/220510-bkhj3seef4/
Behaviour
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
XMRig Miner Payload
LimeRAT
xmrig
Unpacked files
SH256 hash:
6408f2b83a73c461d6ba809bc2110f15f9a3c750fd11cdb17ee835070b7ee258
MD5 hash:
33c266fd091eadb75744f7b0c7a76655
SHA1 hash:
206545f1bdc61c95b49e9af3b62900cf82a1ad3d
Detections:
win_koadic_auto
Create hunting rule
Link:
https://www.unpac.me/results/1cd8e709-f403-4154-a9f9-6f8e78f4d908/
SH256 hash:
9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd
MD5 hash:
59aa84cf2e843581002f74710e77dc9e
SHA1 hash:
1115bc89c2b32ebe0897a0dfad12fb73b63d686c
Link:
https://www.unpac.me/results/1cd8e709-f403-4154-a9f9-6f8e78f4d908/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9076b1f904d3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe 9076b1f904d3f53fcad6a38b7852ed9cb08905f71560dde89db1026c839b77bd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2187615/

Comments


Avatar
zbet commented on 2022-05-10 01:11:22 UTC

url : hxxp://54.254.238.33:8083/IE.exe