MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimeRAT

Vendor detections: 13

Intelligence 13 IOCs YARA 8 File information Comments

SHA256 hash:	d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55
SHA3-384 hash:	75f0e9c62a2eae65dedc521098c82c6241d8cbc3d8de4b0b3f0ec1f7f837458d15df0a1788b1f90b2de3ff6175035ed2
SHA1 hash:	e727aa6dc2ce6d62e5bd65114593c2409a18ae0e
MD5 hash:	9f3ca5ba03052e6b65900b8198dd9235
humanhash:	missouri-vegan-golf-nevada
File name:	ServiceHub.exe
Download:	download sample
Signature	LimeRAT Create hunting rule
File size:	694'784 bytes
First seen:	2022-03-11 18:00:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:KRGKq41y0yHUUF1/A/ZMvGTsv+wD1IRJ+ZN1JBCGonUaH1nq1o3:lKq510U3/SOvPGkZ13onp
Threatray	2'946 similar samples on MalwareBazaar
TLSH	T1BFE49E3436F78514E3BE9A7187E5B64D46B9E4032573E37B18C652C20F22B81CD8BB66
Reporter	adm1n_usa32
Tags:	exe LimeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

530

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ServiceHub.exe

Verdict:

Malicious activity

Analysis date:

2022-03-11 17:57:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/785c8d23-75c1-480a-9a4a-06bcf0aa61f9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/249642/

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Dropper.LimeRAT-8281001-0

Win.Malware.Barys-6836745-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Sending a custom TCP request

Launching a process

DNS request

Creating a process with a hidden window

Blocking the System Restore

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm configsecuritypolicy.exe control.exe evasive explorer.exe hacktool limerat mpcmdrun.exe msconfig.exe netsh.exe njrat obfuscated obfuscated packed rat regasm.exe regedit.exe remote.exe replace.exe schtasks.exe update.exe wscript.exe xwizard.exe

Link:

https://www.filescan.io/uploads/622b8e64b94fb38cb45e880a/reports/b90546f1-211e-4473-82ae-ece7632896e8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

LimeRat

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a1cc6a5b-a2df-4992-82ea-f1f44c0103ce

Result

Threat name:

LimeRAT

Detection:

malicious

Classification:

rans.troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/955098

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Connects to a pastebin service (likely for C&C)

Deletes shadow drive data (may be related to ransomware)

Detected unpacking (overwrites its own PE header)

Disables Windows Defender (via service or powershell)

Disables Windows system restore

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

May disable shadow drive data (uses vssadmin)

Modifies the windows firewall

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Copying Sensitive Files with Credential Data

Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities

Sigma detected: Suspicious Remote Thread Created

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses netsh to modify the Windows network and firewall settings

Yara detected AntiVM3

Yara detected LimeRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55/

Threat name:

ByteCode-MSIL.Backdoor.Citrate

Status:

Malicious

First seen:

2022-01-29 20:20:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 33 (81.82%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2qvosue2cehezaywxnyzjhauveephatxzp3ljuvcc25boovcjzkq._file

Verdict:

malicious

Label(s):

ryuk

Result

Malware family:

limerat

Score:

10/10

Tags:

family:limerat evasion persistence ransomware rat trojan

Link:

https://tria.ge/reports/220311-wlv7saafb9/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Disables Windows logging functionality

Interacts with shadow copies

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Program crash

Drops file in Windows directory

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Deletes itself

Drops file in Drivers directory

Executes dropped EXE

Deletes shadow copies

Contains code to disable Windows Defender

LimeRAT

Modifies WinLogon for persistence

Modifies Windows Defender Real-time Protection settings

Modifies security service

Unpacked files

SH256 hash:

d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55

MD5 hash:

9f3ca5ba03052e6b65900b8198dd9235

SHA1 hash:

e727aa6dc2ce6d62e5bd65114593c2409a18ae0e

Detections:

win_blacknet_rat_w0

Link:

https://www.unpac.me/results/79969022-a12f-41af-a2ed-56c5fddd0b5d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/d42ae9509a110e4c8316bb71949c14a908f38277cbf6b4d2a216ba173aa24e55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifcats associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features

Rule name:	INDICATOR_SUSPICIOUS_GENRansomware Create hunting rule
Author:	ditekSHen
Description:	detects command variations typically used by ransomware

Rule name:	INDICATOR_SUSPICIOUS_References_SecTools Create hunting rule
Author:	ditekSHen
Description:	Detects executables referencing many IR and analysis tools

Rule name:	MALWARE_Win_LimeRAT Create hunting rule
Author:	ditekSHen
Description:	LimeRAT payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_blacknet_rat_w0 Create hunting rule
Author:	K7 Security Labs
Description:	BlackNet Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/249642/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample