MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRat


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
SHA3-384 hash: 4275e37bf97e7aedfb653448c483fbf3eefcb2327fea5793d8188767f19a951a749cf7a49b3af2b0e1a5d69b4d52bd75
SHA1 hash: 5dc3eb7b6a1c5b0120ef1fc29604298edede2595
MD5 hash: 05d209fcda058ffcafcc08e2222cc4eb
humanhash: sink-crazy-mobile-magnesium
File name:c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
Download: download sample
Signature LimeRat
Create hunting rule
File size:490'679 bytes
First seen:2022-10-04 21:21:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:VzxzTDWikLSb4NS78owXHVsqH97cH69KYP5t:XDWHSb4NmAHZxz
Threatray 16'236 similar samples on MalwareBazaar
TLSH T151A4F102FD8194B2C6210D355A69AB61653DBE200F14CFDBB3D44A6DEE341E0BB35BA7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 00f4d6cac2d6e2c0 (1 x LimeRat, 1 x Chaos)
Reporter petikvx
Tags:exe LimeRAT Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
567
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316651/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Delayed writing of the file
Creating a process with a hidden window
Launching a process
DNS request
Launching the default Windows debugger (dwwin.exe)
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing critical settings of the Internet Explorer browser
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41173/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/633ca402d089a0c15dd52abd/reports/e9ab6c7f-ce19-4e2f-8d97-174be8f3f2bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6254c2d-606a-4ad5-a66d-cec64340d5f0
Result
Threat name:
LimeRAT, Virut
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1083632
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables USB drives
Disables Windows system restore
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to evade debugger and weak emulator (self modifying code)
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected LimeRAT
Yara detected Virut
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 716187 Sample: 6RIld7ECqv.exe Startdate: 04/10/2022 Architecture: WINDOWS Score: 100 47 ilo.brenz.pl 2->47 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 11 other signatures 2->71 9 6RIld7ECqv.exe 12 2->9         started        12 iexplore.exe 2 85 2->12         started        signatures3 process4 dnsIp5 33 C:\Users\user\AppData\Local\Temp\...\5.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 9->35 dropped 37 C:\Users\user\AppData\Local\Temp\...\2.bat, DOS 9->37 dropped 15 1.exe 12 503 9->15         started        55 mail.ru 12->55 19 iexplore.exe 4 93 12->19         started        file6 process7 dnsIp8 39 C:\Windows\assembly\...\1.exe, PE32 15->39 dropped 41 C:\Windows\assembly\...\1.exe, PE32 15->41 dropped 43 C:\Windows\assembly\...\1.exe, PE32 15->43 dropped 45 746 other malicious files 15->45 dropped 57 Antivirus detection for dropped file 15->57 59 Multi AV Scanner detection for dropped file 15->59 61 Machine Learning detection for dropped file 15->61 63 5 other signatures 15->63 22 svchost.exe 15->22         started        49 yandex.ru 5.255.255.55, 443, 49797, 49798 YANDEXRU Russian Federation 19->49 51 bs.yandex.ru 93.158.134.90, 443, 49749, 49750 YANDEXRU Russian Federation 19->51 53 27 other IPs or domains 19->53 file9 signatures10 process11 signatures12 73 Antivirus detection for dropped file 22->73 75 Multi AV Scanner detection for dropped file 22->75 77 Machine Learning detection for dropped file 22->77 79 3 other signatures 22->79 25 winlogon.exe 22->25 injected 27 lsass.exe 22->27 injected 29 fontdrvhost.exe 22->29 injected 31 11 other processes 22->31 process13
Detection:
ramnit
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607/
Threat name:
Win32.Worm.Changeup
Create hunting rule
Status:
Malicious
First seen:
2022-10-04 03:31:05 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
25 of 26 (96.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjfm5pld6obs6tmckao2yzx5tc3ak23vilssjiop4y2mpatjwydq._file
Verdict:
malicious
Similar samples:
09b10c88bbc3847d274f7b734a701248833fa92efddc669a7a82e0d1401f7245
LimeRat
13713a7b6d609042754fb59c1c9f3049c27c5ac8b052fd2e71f4025b8bc8e8ad
LimeRat
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
LimeRat
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
LimeRat
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
LimeRat
8ec0380da8c47a1087d0dbc916ae648f1d5d6fcc5f08be4d9091b316780b76b1
LimeRat
b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
LimeRat
+ 16'226 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion upx
Link:
https://tria.ge/reports/221004-z7wl8acfa4/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Modifies Internet Explorer start page
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Loads dropped DLL
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Modifies firewall policy service
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/130388cd-4c25-4f38-8f5a-1d3ccd0bd6e7
Unpacked files
SH256 hash:
2ec3a9cfe42979a14744c486f2867c22900950f2eeef2ddd7b62a924c30fa648
MD5 hash:
5c1eb55fc38340c804436254cf292e94
SHA1 hash:
6067f36394e104e69e1500a7ca1afaabf96547ff
Link:
https://www.unpac.me/results/84fc9989-388f-4668-9806-87ee0581b82e/
SH256 hash:
84e3aec0b01e304f0feb58012eb14ffb4d43c547ae454f42675203b2fe6256a5
MD5 hash:
0b0e95fb2462333ffbd83d4fbd6247c0
SHA1 hash:
2b91dfc83fe0ec5c2e3a89e786caab0195a145a4
Link:
https://www.unpac.me/results/84fc9989-388f-4668-9806-87ee0581b82e/
SH256 hash:
c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607
MD5 hash:
05d209fcda058ffcafcc08e2222cc4eb
SHA1 hash:
5dc3eb7b6a1c5b0120ef1fc29604298edede2595
Link:
https://www.unpac.me/results/84fc9989-388f-4668-9806-87ee0581b82e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c24acebd63f3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c24acebd63f3832f4d82501dac66fd98b6056b7542e524a1cfe634c78269b607

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316651/

Comments