MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimeRAT

Vendor detections: 17

Intelligence 17 IOCs YARA 14 File information Comments

SHA256 hash:	f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40
SHA3-384 hash:	ee3edc95f87c532417954a216d1fb52f861115523771f1f7ec0a231bb5324853929ad79c7fcc1e9e3b76ebf8b6af93fd
SHA1 hash:	ed13d69de43570998edca4258b929bfaf0271bfe
MD5 hash:	e9e6a9e19d2e39d74f5d650bddf6c856
humanhash:	pasta-uranus-ohio-sad
File name:	New-Client.exe
Download:	download sample
Signature	LimeRAT Create hunting rule
File size:	399'872 bytes
First seen:	2026-04-29 00:45:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep	768:sj8T/2iB9/fi/Jak5Ni5rMYbUugGwog1s3xg//L//////////y/////////////i:sjG2iB9OJFlPuxwo4uxg/uS
TLSH	T177844A2437D1F01EC69D5AB28F86F0B816703D5A5E568A2639CCB3CF39BED904978361
TrID	69.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win64 Executable (generic) (6522/11/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	31f09c969696f871 (14 x NanoCore, 5 x AsyncRAT, 4 x LimeRAT)
Reporter	AntiAbuseSheild
Tags:	exe LimeRAT RAT

Intelligence

File Origin

# of uploads :

# of downloads :

163

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

limerat

ID:

File name:

New-Client.exe

Verdict:

Malicious activity

Analysis date:

2026-04-29 00:35:06 UTC

Tags:

auto-reg pastebin limerat rat

Link:

https://app.any.run/tasks/0ea53024-b1c7-4a47-bf6b-e4e1d18204a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

LimeRAT

Link:

https://www.capesandbox.com/analysis/63946/

Detection(s):

Win.Dropper.LimeRAT-10030053-0

Win.Malware.Barys-6836745-0

YARA.DITEKSHEN_MALWARE_Win_Limerat.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Creating a file in the %AppData% directory

Launching a process

Creating a process with a hidden window

Creating a process from a recently created file

Creating a file

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Launching a service

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm backdoor base64 coinminer config-extracted fingerprint limerat limerat lolbin obfuscated rat reconnaissance regasm schtasks unsafe vbnet windows

Link:

https://www.filescan.io/uploads/69f154c4594172aacc4fd414/reports/82a4ab11-f95a-42c5-bfe0-2f97fe0a297d/overview

Verdict:

Malicious

Labled as:

MSIL.LimeRAT.Generic

Link:

https://www.hybrid-analysis.com/sample/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40

Verdict:

Malicious

File Type:

exe x32

First seen:

2026-04-28T21:38:00Z UTC

Last seen:

2026-04-28T22:03:00Z UTC

Hits:

~10

Detections:

PDM:Trojan.Win32.Tasker.cust PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Tasker.gen HEUR:Trojan.MSIL.Agent.gen Backdoor.MSIL.Citrate.sb

Link:

https://opentip.kaspersky.com/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40/results?tab=lookup

Malware family:

LimeRat

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4bd58e21-a868-43c0-b3fd-f3fca7f7c33c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40/

Verdict:

Malicious

Threat:

Family.LIMERAT

Link:

https://tip.neiki.dev/file/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40

Threat name:

ByteCode-MSIL.Backdoor.LimeRAT

Status:

Malicious

First seen:

2026-04-29 00:35:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6x3h63teyzje67gr3tndik4vzhaxl6dopywbbqsn2wxupdykbnaa._file

Verdict:

malicious

Label(s):

limerat

Similar samples:

error

LimeRAT

Result

Malware family:

limerat

Score:

10/10

Tags:

family:limerat discovery execution persistence rat

Link:

https://tria.ge/reports/260429-a4q5wsfx9y/

Behaviour

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Contacts third-party web service commonly abused for C2

Maps connected drives based on registry

Checks computer location settings

Executes dropped EXE

Family: LimeRAT

Unpacked files

SH256 hash:

f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40

MD5 hash:

e9e6a9e19d2e39d74f5d650bddf6c856

SHA1 hash:

ed13d69de43570998edca4258b929bfaf0271bfe

Detections:

LimeRat

Link:

https://www.unpac.me/results/3ca253d0-f569-4724-983c-773829c8b031/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f5f67f6e64c6524f7cd1dcda342b95c9c175f86e7e2c10c24dd5af478f0a0b40

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_LimeRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects LimeRAT backdoor.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	LimeRAT Create hunting rule
Author:	RustyNoob619
Description:	Detects Lime RAT malware samples based on the strings matched

Rule name:	MALWARE_Win_LimeRAT Create hunting rule
Author:	ditekSHen
Description:	LimeRAT payload

Rule name:	MALWARE_Win_LimeRAT Create hunting rule
Description:	LimeRAT payload

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	VECT_Ransomware Create hunting rule
Author:	Mustafa Bakhit
Description:	Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.