MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
SHA3-384 hash: fdbeb4d8e2412b298d86d7f3fefcb5783d1c72fddd93892983cb366e0019399bb9e53a59c54794a6266788755d5086df
SHA1 hash: 0f471be520c5c78a0a40a4026237e04c366a3110
MD5 hash: 7ed5b2dec02ef2ddc967fa9ca0dd8d2f
humanhash: dakota-kitten-nine-lamp
File name:c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:790'953 bytes
First seen:2022-09-15 12:30:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 12288:lToPWBv/cpGrU3y4dDG+A/rd/X78/SLKXt22Q2pnkhA/rd/X78vm:lTbBv5rUFDGr/rBXIxtrQm/rBXIe
Threatray 1'447 similar samples on MalwareBazaar
TLSH T18DF40203BEC188B2D5B31D726A35A711697CBD601F65CECBB3D01A6CDA729C1D630BA1
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c070cc9cfecde976 (4 x LimeRAT, 3 x CoinMiner)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
13.229.238.144:19532

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
13.229.238.144:19532 https://threatfox.abuse.ch/ioc/849796/

Intelligence

File Origin
# of uploads :
1
# of downloads :
333
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
limerat
Create hunting rule
ID:
1
File name:
c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe
Verdict:
Malicious activity
Analysis date:
2022-09-16 07:33:19 UTC
Tags:
trojan limerat rat
Link:
https://app.any.run/tasks/ce339712-59bf-4d59-b18a-7b8fcf8e0d98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/310257/
Detection(s):
Win.Packed.Nanocore-9942160-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a file
Launching a tool to kill processes
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37706/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm coinminer diztakun greyware limerat nanocore overlay packed setupapi.dll shdocvw.dll shell32.dll virus
Link:
https://www.filescan.io/uploads/63231b4dba7b8113dd64c639/reports/f5740c5d-41b2-4938-b7c2-dade9630a395/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/113221b8-cfc8-4337-b147-555f1ef379b7
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1070896
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to resolve many domain names, but no domain seems valid
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Windows Shell Script Host drops VBS files
Yara detected BatToExe compiled binary
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 703448 Sample: c787c9a5f407a656478efc835f1... Startdate: 15/09/2022 Architecture: WINDOWS Score: 100 68 pastebin.com 2->68 70 musilkks7421.servehalflife.com 2->70 72 12 other IPs or domains 2->72 94 Snort IDS alert for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 102 16 other signatures 2->102 10 c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exe 15 2->10         started        14 wscript.exe 2->14         started        16 wscript.exe 2->16         started        signatures3 100 System process connects to network (likely due to code injection or exploit) 70->100 process4 file5 56 C:\Users\user\AppData\Local\...\winupdate.exe, PE32+ 10->56 dropped 58 C:\Users\user\AppData\...\windowsapp.exe, PE32 10->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\lirb.com, PE32 10->60 dropped 62 2 other malicious files 10->62 dropped 134 Drops PE files with a suspicious file extension 10->134 18 windowsapp.exe 6 10->18         started        signatures6 process7 signatures8 88 Antivirus detection for dropped file 18->88 90 Multi AV Scanner detection for dropped file 18->90 92 Machine Learning detection for dropped file 18->92 21 cmd.exe 10 18->21         started        process9 signatures10 104 Uses cmd line tools excessively to alter registry or file data 21->104 24 irom.com 5 10 21->24         started        28 lirb.com 21->28         started        30 reg.exe 21->30         started        32 30 other processes 21->32 process11 dnsIp12 48 C:\Users\user\AppData\Roaming\...\main.vbs, UTF-8 24->48 dropped 120 Multi AV Scanner detection for dropped file 24->120 35 wscript.exe 24->35         started        40 wscript.exe 24->40         started        50 C:\Users\user\AppData\...\winlogon.exe, PE32 28->50 dropped 122 Machine Learning detection for dropped file 28->122 42 winlogon.exe 28->42         started        124 Creates multiple autostart registry keys 30->124 126 Creates an autostart registry key pointing to binary in C:\Windows 30->126 64 104.20.67.143, 443, 49714, 49734 CLOUDFLARENETUS United States 32->64 66 pastebin.com 104.20.68.143, 443, 49713, 49727 CLOUDFLARENETUS United States 32->66 52 C:\Users\user\AppData\...\Microsoft.exe, PE32+ 32->52 dropped 54 C:\Users\user\AppData\...\winupdate.exe, PE32+ 32->54 dropped 128 System process connects to network (likely due to code injection or exploit) 32->128 130 Drops PE files to the startup folder 32->130 132 Disables the Windows task manager (taskmgr) 32->132 file13 signatures14 process15 dnsIp16 74 v2pando8k.zapto.org 35->74 76 v2pando8k.webhop.me 35->76 82 75 other IPs or domains 35->82 44 C:\Users\user\AppData\Roaming\...\main.vbs, UTF-8 35->44 dropped 106 System process connects to network (likely due to code injection or exploit) 35->106 108 Windows Shell Script Host drops VBS files 35->108 110 Drops VBS files to the startup folder 35->110 112 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 35->112 78 ukseca8425.webhop.me 40->78 80 ukseca8425.viewdns.net 40->80 84 84 other IPs or domains 40->84 46 C:\Users\user\AppData\Roaming\...\backup.vbs, UTF-8 40->46 dropped 114 Creates multiple autostart registry keys 40->114 86 3 other IPs or domains 42->86 116 Protects its processes via BreakOnTermination flag 42->116 file17 118 Tries to resolve many domain names, but no domain seems valid 76->118 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e/
Threat name:
ByteCode-MSIL.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2022-09-02 01:06:23 UTC
File Type:
PE (Exe)
Extracted files:
66
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6d4tjpua6tfmr4o7sbv6gqpr5zyamf7e3hnxvdurs33ddws5i7a._file
Verdict:
malicious
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
LimeRAT
301a3e665000c99ab655a74dbf9408de24875866528be4f6d28e83490c19305b
LimeRAT
467ad63f6a1235c46806e9da0af33d358e0428c50e8419de415948db720e56ee
LimeRAT
591a2906dcc822e0137732a6938f0ec84887ebb5f13524f83be179d801f44ab6
LimeRAT
6bcf5705424ff9935c6dfd886e666af3cb2da930cfe82b0924b599f682b8f9bf
LimeRAT
75180613894eb3345319cc207d66688e5219035a05e97d330a2397d51cc397c6
LimeRAT
ce349034ea5373d13d5fa3adaf34a3ecffff799fe9044d4a2c98bd8a16f0e9ed
LimeRAT
+ 1'437 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:limerat family:xmrig evasion miner persistence rat upx
Link:
https://tria.ge/reports/220915-pp2emsdaf3/
Behaviour
Kills process with taskkill
Modifies registry class
Modifies registry key
Runs ping.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Sets file to hidden
UPX packed file
XMRig Miner payload
LimeRAT
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/588057fc-0256-43bd-a27a-7ce3d3c858f2
Unpacked files
SH256 hash:
c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e
MD5 hash:
7ed5b2dec02ef2ddc967fa9ca0dd8d2f
SHA1 hash:
0f471be520c5c78a0a40a4026237e04c366a3110
Link:
https://www.unpac.me/results/664c2700-5873-43f4-8bd4-1e6b80eaeead/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c787c9a5f407/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c787c9a5f407a656478efc835f1a0f8f738030bf26cedbd4748cb7b18ed2ea3e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:win_koadic_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.koadic.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/310257/

Comments