MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9843b54a85a553deece49841f3afdbcd642836cb461cf66fc20c491077617b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9843b54a85a553deece49841f3afdbcd642836cb461cf66fc20c491077617b9
SHA3-384 hash: 8dded2c483b9e45d63cbc10d4d09616d1f006bcc95ae2bb3a8600e38a16f144c888737b823095cdec057f607d7f07d3a
SHA1 hash: 471fbb37ed12de588792190ca1ed2266261db7fb
MD5 hash: 4d46ee07b95bd28969da2747e302812a
humanhash: red-michigan-april-green
File name:Payment.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:290'304 bytes
First seen:2022-07-25 06:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'746 x AgentTesla, 19'624 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:GI0JgvsdNXsPn4wiG2hrycgZeQ1vjG9bsBxboP/ScE/:GI0JgvsdNXsPn4hdcZelUbQ/S
Threatray 232 similar samples on MalwareBazaar
TLSH T19754D02EA3949AD6C13F4B3685B752E943B2D1C38272C3058CC4E3F56F62766EFA2055
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe LimeRAT RAT


Avatar
abuse_ch
LimeRAT C2:
212.193.30.230:82

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.193.30.230:82 https://threatfox.abuse.ch/ioc/839420/

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293882/
Detection(s):
SecuriteInfo.com.W32.AIDetectNet.01.15411.7077.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm packed
Link:
https://www.filescan.io/uploads/62de359c7dd0cb902ffa8dbc/reports/7f5e1f56-7e25-4377-8dca-9712668f829b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf65e926-0280-4212-87ab-b03b0efe0026
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1040153
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9843b54a85a553deece49841f3afdbcd642836cb461cf66fc20c491077617b9/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-07-25 06:16:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zgcdwvfiljkt33wojgcb6ox5xtlefa3mwrq46zx4edcjcb3wc64q._file
Verdict:
malicious
Similar samples:
11641e5c09be9d6161bb9f91711952b4b7976f9f3ce545ddfad2da41340a380b
LimeRAT
21b86512de83574c3ad44210d025e93fb28d205cfbd18825da0a64a52063b627
LimeRAT
387cc2ebbd93f8207e1fbf6ab34434dfb1dc04811d0937174f6251aa6e1cdaa1
LimeRAT
7c804b99b58ac30b0a4715dfc795c88d835513e1cf64c650c351976968e826a8
LimeRAT
8423897de4c0930e7f358bae1b974df4711a3e55ca95e42d1bb36886498ef491
LimeRAT
843097123a40e1442b2f08ce9c77ebc909a3e77e1ea3b6f21981a579ab2ea9be
LimeRAT
9ba22c0f43f4c60f3c36b116ccb2a8ed8abd33d26ce6d3d3088dd26392c9f115
LimeRAT
9e03afa6974efc9de0fb7dbab12febec78e0f54ce566c501aa74106b965de30f
LimeRAT
a9b46ddb3ed98e2ca5e71253a69f686e1f618f724821eb98b52b812844117f33
LimeRAT
efec42e842fb4f3a55881fef15c519b2c4fd66d195297361ef38ce24d9e6ddd4
LimeRAT
+ 222 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/220725-g1f9vaabb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
LimeRAT
Unpacked files
SH256 hash:
c9843b54a85a553deece49841f3afdbcd642836cb461cf66fc20c491077617b9
MD5 hash:
4d46ee07b95bd28969da2747e302812a
SHA1 hash:
471fbb37ed12de588792190ca1ed2266261db7fb
Link:
https://www.unpac.me/results/fe3160ea-38dc-46c6-8ef7-cb691aeaefdf/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c9843b54a85a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c9843b54a85a553deece49841f3afdbcd642836cb461cf66fc20c491077617b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_LimeRAT
Create hunting rule
Author:ditekSHen
Description:LimeRAT payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_limerat_j1_00cfd931
Create hunting rule
Author:Johannes Bader
Description:detects the lime rat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293882/

Comments