MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimaRAT

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7
SHA3-384 hash:	d6028d2201b9d78ed94c6833f5a13830fd003b173a394452ac84191162ee063497dfdab5ef3f0d9ebd47e10530b44cc4
SHA1 hash:	4aabffec8b6be99324f8d589e73ed0f433054118
MD5 hash:	d7ff05311350b4990ccd642a44679d1d
humanhash:	gee-undress-sodium-idaho
File name:	Wezwanie_swiadka.pdf.exe
Download:	download sample
Signature	LimaRAT Create hunting rule
File size:	5'049'013 bytes
First seen:	2024-02-13 15:55:03 UTC
Last seen:	2024-02-13 17:23:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f4639a0b3116c2cfc71144b88a929cfd (96 x GuLoader, 53 x Formbook, 37 x VIPKeylogger)
ssdeep	98304:ZzIzKl/zS8Bsob1pxf+4uoUZCSdc8WuhxAJnNon5k04Z4Itm:Zzw2O2Znxf+4uoMhc4xxnnF
Threatray	432 similar samples on MalwareBazaar
TLSH	T12D3633C8BB40CBC5CB94033125D542268B93E7FA27B170841BD565D5BAE005EEEAA7F3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	f4e464942c3438c4 (1 x Stealc, 1 x LimaRAT)
Reporter	smica83
Tags:	apt exe LimaRAT POL

Intelligence

File Origin

# of uploads :

# of downloads :

324

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/476014/

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.15427.22025.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a process from a recently created file

Searching for analyzing tools

Сreating synchronization primitives

Searching for the window

Creating a window

Launching a process

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer lolbin masquerade overlay packed shell32

Link:

https://www.filescan.io/uploads/65cb90e0ac375bec15e5fbc0/reports/c5900b02-c15d-4f3c-881e-f1cf109230c0/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/b6d5402f-19a9-4054-a56b-f7c7c79f4bba

Result

Threat name:

LimeRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1391543

Signature

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sigma detected: Suspicious Double Extension File Execution

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected LimeRAT

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7/

Threat name:

Win32.Spyware.Xegumumune

Status:

Malicious

First seen:

2024-02-12 17:31:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 23 (52.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t6kc6hx3gzcocowkmgempwusodic7flbkx52hs5cdnwydx6zswtq._file

Verdict:

suspicious

LimaRAT

1bb732330744dda9232ab0e291c9b5d5f8e76e9c649ed9e1e9f4327a0c7387dc

LimaRAT

6812d2c704a12a02c87a5b7152ebc3294d71f31262460115a23a4d8b5e4cb5b3

LimaRAT

725600f8e47bd1294331aa19c3bef6d31f37204afa2a5ba45036bc8307132d5b

LimaRAT

88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2

LimaRAT

9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

LimaRAT

b47036189825426c6e368fd21594aaba8dbdcf573464d2939f99da44c9874b97

LimaRAT

fae531687cc458d8d7e504b81776514eec3cd9700891a1b873afa3748c84cc78

LimaRAT

ffb7e0228d5212b01b82d48a1a058ada453228b70a0285e39822facefcc24e52

LimaRAT

+ 422 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/240213-tctlgscf71/

Behaviour

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

6c38a763c81629a9497755d3dacc8a930e3ecf4021cba8b42a9fc2516b4e5bb3

MD5 hash:

2e0b91b9060c33c2ca0df10c156ea8a3

SHA1 hash:

a9380c6f472a81a0e825fbca0436268a00c5bee7

Detections:

INDICATOR_EXE_Packed_Themida

INDICATOR_SUSPICIOUS_EXE_SandboxProductID

INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Link:

https://www.unpac.me/results/1f3f96f4-cea7-466d-89bf-a4caa708abb8/

SH256 hash:

9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

MD5 hash:

d7ff05311350b4990ccd642a44679d1d

SHA1 hash:

4aabffec8b6be99324f8d589e73ed0f433054118

Link:

https://www.unpac.me/results/1f3f96f4-cea7-466d-89bf-a4caa708abb8/

Malware family:

APT.9002

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/9f942f1efb36/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9f942f1efb3644e13aca6188c7da9270d02f956155fba3cba21b6d81dfd995a7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://twitter.com/t3ft3lb/status/1757425725475344386?t=GR1uFUmE5nVLs-9WS59qGw&s=19

Cape

https://www.capesandbox.com/analysis/476014/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample