MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245
SHA3-384 hash: 8c7f2e119366366326d42ff50e52d372bdffc998e452d09ff26c0ae564c9be881ab97b5d8bf6a0c0f3e588b0b594f694
SHA1 hash: bc8fc6fcee2401efb0f830123c677e28f0d5ace4
MD5 hash: b8cfa222736bb2e4a133d5f2bfa54cb3
humanhash: august-alpha-undress-finch
File name:b8cfa222736bb2e4a133d5f2bfa54cb3
Download: download sample
Signature LimeRAT
Create hunting rule
File size:71'680 bytes
First seen:2023-08-21 15:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b1141867ae472c2bfcfa281c505949ed (1 x EternityStealer, 1 x LimeRAT)
ssdeep 768:yB+XYKjVoNvpO0PM246qVKyFVKR274SmetRQvrE67BAyziEXMcie8SK4L:iSKy+VGtRQvDAa2cieD
Threatray 2'257 similar samples on MalwareBazaar
TLSH T14A636C0239C0C032C5816A71663FD2D3696B7D504EB6C58F77B96BBA8EB11903E36727
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
b8cfa222736bb2e4a133d5f2bfa54cb3
Verdict:
Malicious activity
Analysis date:
2023-08-21 15:56:05 UTC
Tags:
loader stealer redline evasion
Link:
https://app.any.run/tasks/07226ed5-dd11-460f-97c6-62df001cf17c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443992/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.6036.20081.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Reading critical registry keys
Running batch commands
Launching the process to change network settings
Creating a window
Unauthorized injection to a recently created process
Stealing user critical data
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/108237/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5d44079-6a7f-4051-a262-fceed3b00687
Result
Threat name:
LimeRAT, AsyncRAT, DcRat, Eternity Steal
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1294644
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Encrypted powershell cmdline option found
Found hidden mapped module (file has been removed from disk)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: LimeRAT
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected AsyncRAT
Yara detected DcRat
Yara detected Eternity Stealer
Yara detected Generic Downloader
Yara detected LimeRAT
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1294644 Sample: tnT41YJaPW.exe Startdate: 21/08/2023 Architecture: WINDOWS Score: 100 108 t.me 2->108 120 Snort IDS alert for network traffic 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Antivirus detection for URL or domain 2->124 126 23 other signatures 2->126 11 tnT41YJaPW.exe 3 2->11         started        14 cmd.exe 2->14         started        16 DiscordUppdataRas.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 signatures5 166 Very long command line found 11->166 168 Encrypted powershell cmdline option found 11->168 20 powershell.exe 15 23 11->20         started        25 conhost.exe 11->25         started        170 Uses powercfg.exe to modify the power settings 14->170 172 Uses netsh to modify the Windows network and firewall settings 14->172 174 Tries to harvest and steal WLAN passwords 14->174 27 conhost.exe 14->27         started        29 sc.exe 14->29         started        31 sc.exe 14->31         started        37 3 other processes 14->37 176 Antivirus detection for dropped file 16->176 178 Multi AV Scanner detection for dropped file 16->178 180 Machine Learning detection for dropped file 16->180 182 Modifies power options to not sleep / hibernate 18->182 33 conhost.exe 18->33         started        35 conhost.exe 18->35         started        39 5 other processes 18->39 process6 dnsIp7 110 enesoftware.top 172.67.202.225, 49706, 80 CLOUDFLARENETUS United States 20->110 88 C:\Users\user\AppData\Local\Temp\6.exe, PE32+ 20->88 dropped 90 C:\Users\user\AppData\Local\Temp\5.exe, PE32 20->90 dropped 92 C:\Users\user\AppData\Local\Temp\4.exe, PE32 20->92 dropped 94 3 other malicious files 20->94 dropped 138 Powershell drops PE file 20->138 41 6.exe 20->41         started        45 4.exe 20->45         started        48 2.exe 5 20->48         started        50 4 other processes 20->50 file8 signatures9 process10 dnsIp11 96 C:\Users\user\AppData\...\zyxmspyorxiu.tmp, PE32+ 41->96 dropped 98 C:\Program Filesbehaviorgraphoogles\Chromes\updIs.exe, PE32+ 41->98 dropped 100 C:\Windows\System32\drivers\etc\hosts, ASCII 41->100 dropped 140 Suspicious powershell command line found 41->140 158 6 other signatures 41->158 52 dialer.exe 41->52         started        112 ip-api.com 208.95.112.1, 49708, 80 TUT-ASUS United States 45->112 142 Antivirus detection for dropped file 45->142 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->144 146 May check the online IP address of the machine 45->146 160 4 other signatures 45->160 55 cmd.exe 45->55         started        102 C:\Users\user\...\DiscordUppdataRas.exe, PE32 48->102 dropped 148 Multi AV Scanner detection for dropped file 48->148 150 Protects its processes via BreakOnTermination flag 48->150 152 Machine Learning detection for dropped file 48->152 162 2 other signatures 48->162 57 schtasks.exe 48->57         started        114 5.42.65.101, 48790, 49717 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 50->114 104 C:\Users\user\AppData\...\DefenderEsxi.exe, PE32 50->104 dropped 106 C:\Users\user\AppData\Roaming\Decoder.exe, PE32 50->106 dropped 154 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->154 156 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 50->156 164 3 other signatures 50->164 59 cmd.exe 50->59         started        61 cmd.exe 50->61         started        63 conhost.exe 50->63         started        file12 signatures13 process14 signatures15 128 Injects code into the Windows Explorer (explorer.exe) 52->128 130 Writes to foreign memory regions 52->130 132 Allocates memory in foreign processes 52->132 136 2 other signatures 52->136 65 lsass.exe 52->65 injected 68 svchost.exe 52->68         started        70 winlogon.exe 52->70 injected 78 5 other processes 52->78 134 Tries to harvest and steal WLAN passwords 55->134 80 4 other processes 55->80 72 conhost.exe 57->72         started        74 conhost.exe 59->74         started        76 timeout.exe 59->76         started        82 2 other processes 61->82 process16 signatures17 116 Writes to foreign memory regions 65->116 84 BackgroundTransferHost.exe 65->84         started        118 Changes security center settings (notifications, updates, antivirus, firewall) 68->118 86 Conhost.exe 74->86         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-21 15:54:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fb7smpoilaawajsvewy5zsdtbrpqgrptgie4dwdaahqjtzvgjcq._file
Verdict:
malicious
Similar samples:
00939e25e104ed776c705ef7bbafe2aaf3f684a77a55385597f319b364241196
LimeRAT
43ab825086c6cb0ffccc887273a2acd37f81e0b48de001334579278f7da8e54a
LimeRAT
48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9
LimeRAT
6fa605c719933e2bdd8cde82c00b62753086b62027206f2d787daae772a21736
LimeRAT
73387abd4f9966ec875dd96feb2f8ea23743564ec817c11e4d311588a8a424b1
LimeRAT
95a69137e57a900e7f2721395b6aaf1695d74f16f5e44410557514dca8849ef3
LimeRAT
b9d131247fa8488311afe5da12d699c984cbbf71ba7edf8b560d11c18ea9872c
LimeRAT
c29e86a3004211718df934dff69c681243ecd855e3749ecb76e2bc490aa01456
LimeRAT
ce7a9a4a88a1a9f154bb4e0650864933d87fd75bef94ec000faf24f75d0a308f
LimeRAT
efaaa8ecbfb81f33bbfb791209f0e386756b6a5242428d178efda0ad93ac64bf
LimeRAT
+ 2'247 additional samples on MalwareBazaar
Result
Malware family:
limerat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:eternity family:limerat rat spyware stealer
Link:
https://tria.ge/reports/230821-tb7fysfe9w/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies system certificate store
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
.NET Reactor proctector
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Async RAT payload
AsyncRat
Eternity
LimeRAT
Malware Config
C2 Extraction:
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Unpacked files
SH256 hash:
0b065a51448d7fadfb1d8dc02f6d599cc63e94540c54f10d988de229938c9dc7
MD5 hash:
1bc1338e7a94e07be6612ab943637646
SHA1 hash:
c6027903d824397661850af68f78e23089315966
Link:
https://www.unpac.me/results/0a415bca-744e-48bb-b2f3-906ac2819a9a/
SH256 hash:
e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245
MD5 hash:
b8cfa222736bb2e4a133d5f2bfa54cb3
SHA1 hash:
bc8fc6fcee2401efb0f830123c677e28f0d5ace4
Link:
https://www.unpac.me/results/0a415bca-744e-48bb-b2f3-906ac2819a9a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e143f931ee42/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe e143f931ee42c00b0132a92d8ee6439862f81a2f99904e0ec3000f04cf353245

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2705932/
Cape
Cape
https://www.capesandbox.com/analysis/443992/

Comments


Avatar
zbet commented on 2023-08-21 15:53:16 UTC

url : hxxps://enesoftware.top/i.exe