MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LimeRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9
SHA3-384 hash: 4afcb9094be3228e40adf29c87a4d3d5b4424aa5fe517a3e6fb6930860daa758d7b7c28f94c95281e7c188e77c42c317
SHA1 hash: a00e93071fb481a0606efeac3850997c74fd51a2
MD5 hash: 72a80f214a15360ea3b4fe3cf38a99cf
humanhash: pip-dakota-spaghetti-bakerloo
File name:72a80f214a15360ea3b4fe3cf38a99cf.exe
Download: download sample
Signature LimeRAT
Create hunting rule
File size:120'688 bytes
First seen:2021-10-22 12:21:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:j6zs2TwExwB57SywumR5e6kE4+0PvsFvmOw38ABVGKPP9ey+V9DkYdWLnudb7UfN:SYEwB4ywumRE6Q14vmOw38a9Mm
Threatray 208 similar samples on MalwareBazaar
TLSH T103C3F16897C88233DCFF5E3798A5DA01F730AA07BC52CA3FC5C881950D936535AB1799
Reporter abuse_ch
Tags:exe LimeRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
843
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199390/
Detection(s):
SecuriteInfo.com.Artemis72A80F214A15.10115.19148.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/6172aceddb358dd15ed40bd2/reports/5bd2834f-c1f0-4e1d-b969-3658b0508fb2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22c9a4de-ddbd-480f-a144-e9067fc75e13
Result
Threat name:
LimeRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875252
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected LimeRAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507690 Sample: 6AXsKszuZq.exe Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected UAC Bypass using CMSTP 2->74 76 7 other signatures 2->76 7 6AXsKszuZq.exe 18 6 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 7 other processes 2->16 process3 dnsIp4 64 cdn.discordapp.com 162.159.135.233, 443, 49726, 49729 CLOUDFLARENETUS United States 7->64 58 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 7->58 dropped 60 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->60 dropped 78 Creates autostart registry keys with suspicious names 7->78 80 Creates an autostart registry key pointing to binary in C:\Windows 7->80 82 Adds a directory exclusion to Windows Defender 7->82 84 Drops PE files with benign system names 7->84 18 WerFault.exe 7->18         started        22 powershell.exe 25 7->22         started        24 powershell.exe 24 7->24         started        30 3 other processes 7->30 66 162.159.134.233, 443, 49755, 49756 CLOUDFLARENETUS United States 12->66 86 System process connects to network (likely due to code injection or exploit) 12->86 88 Multi AV Scanner detection for dropped file 12->88 90 Machine Learning detection for dropped file 12->90 26 powershell.exe 12->26         started        28 powershell.exe 12->28         started        32 3 other processes 12->32 92 Drops executables to the windows directory (C:\Windows) and starts them 14->92 34 4 other processes 14->34 68 127.0.0.1 unknown unknown 16->68 94 Changes security center settings (notifications, updates, antivirus, firewall) 16->94 36 3 other processes 16->36 file5 signatures6 process7 dnsIp8 62 192.168.2.1 unknown unknown 18->62 56 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->56 dropped 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 conhost.exe 34->50         started        52 conhost.exe 34->52         started        54 conhost.exe 34->54         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-22 07:41:03 UTC
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5uif6lcdmqztlpfowmcmsmvf2scmj3gkhtuzf4i4ph7pug7ckdmq._file
Verdict:
unknown
Similar samples:
278602396c9f613328746aa33d0fa09d0aac466c68ca349ec0d8193d664aef35
LimeRAT
434c9b4e79700ccfe8bb71a24861eeb3d24869b7ee9c0a4ebb83e5ea144a8873
LimeRAT
4dc95a3bcf000bee17c567dcb6047c2e523641ad704f6e677421e817440c51f4
LimeRAT
54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93
LimeRAT
67c2d1838c17151b34861887e15359c92dad555ce861d809b2f7cd9688e4455c
LimeRAT
6e44fa9228237b3e1dee57ebc6bc6dd747530b19f0b3ac16e74106b4df9af9a2
LimeRAT
9e614b7116a337119dc6f8c32722859fc862f485bc0169c66ad958b63744ceaf
LimeRAT
a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
LimeRAT
ab199809bf3d853509ba7a0d68899c0681b684db1c460b679f9632ac4c75c94d
LimeRAT
d7b59654644c399eaf13d7460b928ebf8f94bfd9e97e4a135ef005719e4eb18b
LimeRAT
+ 198 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211022-pjwxzaceaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Windows security modification
Windows security bypass
Unpacked files
SH256 hash:
ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9
MD5 hash:
72a80f214a15360ea3b4fe3cf38a99cf
SHA1 hash:
a00e93071fb481a0606efeac3850997c74fd51a2
Link:
https://www.unpac.me/results/261297fb-7df3-4b3f-bd73-29c7f52a886e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LimeRAT

Executable exe ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1705448/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199390/

Comments