MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853
SHA3-384 hash: ce32ece987b6f50d93da869d0f409c796f3b65097cee736e60c85dc9e522a30b8e028befbaa12511da2e2e891134bcb2
SHA1 hash: 04af7ab751d71cf9c62814ba429f03537676945d
MD5 hash: beee17cb48aa97adb5d44143937e9ebc
humanhash: echo-golf-twenty-emma
File name:Purcchase Order Nl08152022.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:534'528 bytes
First seen:2022-08-15 11:36:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'633 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:cCM2TgzrhCQq8Dc4C528xCmvvJbEUoaFmki9bF:lgkQq9dHxCIvxEnsk
Threatray 364 similar samples on MalwareBazaar
TLSH T12FB4AEAF2E9C5616CC7607B4ECAC0184A7F27DA13512D6DE6CA330D7C4B239C8798E56
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter lowmal3
Tags:exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
347
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
limerat
Create hunting rule
ID:
1
File name:
Purcchase Order Nl08152022.exe
Verdict:
Malicious activity
Analysis date:
2022-08-15 11:37:05 UTC
Tags:
trojan limerat rat
Link:
https://app.any.run/tasks/1175ba5f-5dfd-4e22-9531-60a346b7bff5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298649/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1449.7153.3803.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62fa2fe4e4e65a67c4ab017f/reports/75df2f15-75fd-48fa-8e2b-698d21cd7252/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
LimeRat
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/52d4878f-8d47-45f6-b7b4-30155b2d4870
Result
Threat name:
AsyncRAT, LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051481
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected LimeRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 683987 Sample: Purcchase Order Nl08152022.exe Startdate: 15/08/2022 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 11 other signatures 2->41 7 Purcchase Order Nl08152022.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\BSzoIkgQ.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpC50A.tmp, XML 7->25 dropped 27 C:\...\Purcchase Order Nl08152022.exe.log, ASCII 7->27 dropped 43 Writes to foreign memory regions 7->43 45 Adds a directory exclusion to Windows Defender 7->45 47 Injects a PE file into a foreign processes 7->47 11 MSBuild.exe 17 3 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 194.5.98.139, 20854, 49772 DANILENKODE Netherlands 11->29 31 pastebin.com 104.20.68.143, 443, 49771 CLOUDFLARENETUS United States 11->31 33 192.168.2.1 unknown unknown 11->33 49 Protects its processes via BreakOnTermination flag 11->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->51 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-08-15 10:18:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
43
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpmm7f76svvxeyrurnegevdntn3tn7ijdpfmwtcwhq6s6rczbbjq._file
Verdict:
malicious
Similar samples:
0d4a3632247cb7111743166b1eea26ef50d6ba2c67c3658ec4d7d8dfcdf00081
LimeRAT
14f1cb72626532c2d64768ef6a5ea6631b3b8274e22988e1c933c3ca3d7dca3c
LimeRAT
2bf197104a6418c886f206755e3f599ae9b1f90cf9771be981c30f427ecb228c
LimeRAT
6ace19befa598ac3913865abf5fea0eac3d66b77425a9700274094d58b50630f
LimeRAT
8b52c0ca8e1117f7be2e09a6ed854c4a7131d1f0950fcabd665999b96e254bf9
LimeRAT
bd06c34a413a4ca8e49ec57f8ea6f52f69eb16c4fce86db93761c4da50c94edc
LimeRAT
cde8d1b67e70594bf9013c5c15e66f3a821d0d79844c2cd98ec1bd8c7f7726c5
LimeRAT
ea7831b24678d8730a713c9c57653785fcfd92acdc773baab51a0c9dabdc79f9
LimeRAT
fadc03fc007070883778ae79c131e4c7b32e4fd9bcfce160471c2562c1a1fffb
LimeRAT
fcdb032b3ca98e852552b0fef55d098f05cc1da4137cf0b50ef78837788202bf
LimeRAT
+ 354 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:limerat rat
Link:
https://tria.ge/reports/220815-nq5m1sdad3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
LimeRAT
Unpacked files
SH256 hash:
1520a77d57860423efcfced58045a08f09b74f0be00c9dbf26e5e558edf678b7
MD5 hash:
7104b803b2deaea5f5226ede66abec92
SHA1 hash:
ce4220ab6b0757f552f137a512bfd3e4277005f8
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
SH256 hash:
aae400296436b3f62e63406ec029de2dec57c406fa193d2ac63ae9c9ffb3e06e
MD5 hash:
6b78de4a9c0f7f7d7c518e7fc29bd9f6
SHA1 hash:
c29e2658d908722ea03e5a5f1f416e85eec632e0
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
SH256 hash:
d8fceb0905970e51922db2b5685903b1a76eb7eb374a557d519852fd736056b4
MD5 hash:
38e33f0b689ec2a641ba1808a332d7f4
SHA1 hash:
b375078b14149407d6bc59a3928020963b43eb8e
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
SH256 hash:
1b72d49a5e3db7a7a157408ac93240c7e0316ed7f6ddd10befc1af7e4bf7f68c
MD5 hash:
9c1436a35d82492bd09b6d65e4eaf94a
SHA1 hash:
2177711310aef753f821b881a4ee7f64f3bc9ef8
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
SH256 hash:
cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853
MD5 hash:
beee17cb48aa97adb5d44143937e9ebc
SHA1 hash:
04af7ab751d71cf9c62814ba429f03537676945d
Link:
https://www.unpac.me/results/ebaca942-3e54-4993-b92c-a71268cbb978/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

LimeRAT

Executable exe cbd8cf97fe956b7262348b4862546d9b7736fd091bcacb4c563c3d2f44590853

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298649/

Comments