MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b
SHA3-384 hash: da221150b1518fac5e5e466ebebb817857613fe707815e09086ed43c94a5b23f357338c41051cb83a6decfd4005fa4d2
SHA1 hash: d05a8c383051ffacb104856b58eeda123bb70695
MD5 hash: 5e150a45eeb9215dee33da8f9e6c6ae9
humanhash: seventeen-skylark-twelve-march
File name:ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b
Download: download sample
Signature LimeRAT
Create hunting rule
File size:1'114'112 bytes
First seen:2021-09-06 06:38:49 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash 687f659d035e325c5a85ca1dc3e47d1c (1 x LimeRAT)
ssdeep 24576:JQfzEWuougTY5sC1Mp7vHyecNLWlGNxTRQY:qzTuuYp1G/yecNLWIxTR
Threatray 12 similar samples on MalwareBazaar
TLSH T1D0359F55F0807C61FDDBCA72A6CAE802D5226F05FA5B1442154F29E099339FF7E40BAB
Reporter JAMESWT_WT
Tags:dll LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
793
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/185540/
Detection(s):
SecuriteInfo.com.Variant.Razy.910613.7207.22689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6f22a9b-3597-4ea2-882a-d5dd0c3163c1
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/845749
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478181 Sample: BQBvSqW6KI Startdate: 06/09/2021 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Antivirus detection for dropped file 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 8 other signatures 2->75 9 loaddll32.exe 1 2->9         started        process3 signatures4 85 Contains functionality to inject code into remote processes 9->85 12 rundll32.exe 1 9->12         started        16 cmd.exe 1 9->16         started        18 rundll32.exe 9->18         started        20 6 other processes 9->20 process5 file6 61 C:\Users\user\Desktop\035.exe, PE32 12->61 dropped 87 Writes to foreign memory regions 12->87 89 Allocates memory in foreign processes 12->89 91 Injects a PE file into a foreign processes 12->91 22 035.exe 6 12->22         started        26 rundll32.exe 16->26         started        28 WerFault.exe 2 9 18->28         started        30 WerFault.exe 20->30         started        32 WerFault.exe 9 20->32         started        34 WerFault.exe 20->34         started        signatures7 process8 file9 57 C:\Users\user\AppData\Local\...\tmpF52D.tmp, XML 22->57 dropped 59 C:\Users\user\AppData\...\KzSuNlCQoYKnH.exe, PE32 22->59 dropped 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 22->81 83 Injects a PE file into a foreign processes 22->83 36 035.exe 22->36         started        41 schtasks.exe 22->41         started        43 035.exe 22->43         started        45 035.exe 22->45         started        47 WerFault.exe 23 9 26->47         started        49 WerFault.exe 28->49         started        51 WerFault.exe 30->51         started        signatures10 process11 dnsIp12 63 pastebin.com 104.23.98.190, 443, 49720 CLOUDFLARENETUS United States 36->63 65 198.12.110.198, 4204, 49721 AS-COLOCROSSINGUS United States 36->65 55 C:\Users\user\Desktop\IconLib.dll, PE32 36->55 dropped 77 Protects its processes via BreakOnTermination flag 36->77 53 conhost.exe 41->53         started        67 192.168.2.1 unknown unknown 47->67 file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-05 09:53:07 UTC
File Type:
PE (Dll)
Extracted files:
1
AV detection:
18 of 43 (41.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fa060a6dcf51fbc643db7b939ce8d01327606c058130825684258c58ff948b8
LimeRAT
59e56ea3603c4410e4f3c885cf98800ed5e5b02646ae653cd2867cf1ddffa809
LimeRAT
5a5cabaaf342c66e713bb09ae85634323f31ff6fd519e63aa9361e2770df2f18
LimeRAT
7d565fff35ffb8125421bfda8536fc4901dc9fb8c55fae9282e723fb6408deb2
LimeRAT
9c4331dfe69481186d1ecc0026751207e164d5b7b206f456fb5e91a7e263008f
LimeRAT
9ca380b9e68f8aab9d08c3357ce286ce087c81c96b64923f6401dc31679b5453
LimeRAT
c419db928f7e3be31d20d2153ba913bc6b7825b68c386d674b182ae28378d28c
LimeRAT
c92185a29b6f3ee3654ad05d1fc0f692a078080f4fd0140ce46f5cd200e4565a
LimeRAT
e8d7b23035877f317d41a96871a6da2dcd0e51f245ba610e014e8a33d68252a6
LimeRAT
fed50645352598a6e0e38be14759cf2067630167b907daf307d08b66e389276d
LimeRAT
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210906-hem1yaaef4/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Executes dropped EXE
Unpacked files
SH256 hash:
ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b
MD5 hash:
5e150a45eeb9215dee33da8f9e6c6ae9
SHA1 hash:
d05a8c383051ffacb104856b58eeda123bb70695
Link:
https://www.unpac.me/results/af03cf01-98fc-4728-90d6-238301000365/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad59f7a299e7839f81f04f037be2234da036c58b2f6ed2a9c9cb109f3d18705b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185540/

Comments