MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9a4ca25bc03af4718bd0304a26b877569839e4d328b4355f26f1537bfcca6fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

LimeRAT

Vendor detections: 6

Intelligence 6 IOCs YARA 7 File information Comments

SHA256 hash:	f9a4ca25bc03af4718bd0304a26b877569839e4d328b4355f26f1537bfcca6fe
SHA3-384 hash:	217d33befc083d19749b9ea7b5697e047ae29c5609b0a71417cb4f85558a5733b8f07b5f5b80b8ff7aa8e2ee6ed52784
SHA1 hash:	6fc1110c408206b1254fc16de7bb60141c714acb
MD5 hash:	54bb67da412a4b5a6642c80d64e55fce
humanhash:	uncle-network-music-mountain
File name:	04bfba0dc9f498dc8e7bcdece0ce894e
Download:	download sample
Signature	LimeRAT Create hunting rule
File size:	4'136'960 bytes
First seen:	2020-11-17 12:45:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	009023b6b22e202aa54365d2270f6f95 (2 x DarkComet, 1 x LimeRAT, 1 x AgentTesla)
ssdeep	49152:iK1xXboWpev5UrRQtRZIO94NNFOouc9HjtuMUClP/XEH3Yh5:T3n5P/XEXw5
Threatray	4 similar samples on MalwareBazaar
TLSH	9616F12FAD94B9B4D3B006FF582156844B201E6F87D6BB1E790DF7A84C7EF128588721
Reporter	seifreed
Tags:	LimeRAT

Intelligence

File Origin

# of uploads :

# of downloads :

725

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Samas-7998113-0

Win.Packed.Razy-9625918-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a window

Deleting a recently created file

DNS request

Sending a custom TCP request

Connection attempt

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9a4ca25bc03af4718bd0304a26b877569839e4d328b4355f26f1537bfcca6fe/

Threat name:

Win32.Dropper.Effbee

Status:

Malicious

First seen:

2020-11-17 12:50:49 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7gsmujn4aoxuogf5amcke24hovuyhhsngkfugvpsn4ktpp6mu37a._file

Verdict:

malicious

Label(s):

asyncrat

LimeRAT

7c911b4d457b1b6124a1211cd4737c056e9a12dc930a05edfe7289cbed11e86c

LimeRAT

a4bd1ce6832e9cfa0078b39e7dc035047ff593ff4f875fd19ed7ab54508fa7e4

LimeRAT

e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e

LimeRAT

Unpacked files

SH256 hash:

f9a4ca25bc03af4718bd0304a26b877569839e4d328b4355f26f1537bfcca6fe

MD5 hash:

54bb67da412a4b5a6642c80d64e55fce

SHA1 hash:

6fc1110c408206b1254fc16de7bb60141c714acb

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

330420202d7d79851eeeb5c209ebef079f258437c65f01d57059757cd24e79a2

MD5 hash:

0a1c82260388c9651207fefaa06a1c8a

SHA1 hash:

2b03a2f086154d4d9506e320db08fac7495d369c

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

e64d203a55a5cd5dc3096cace565f31d0d8f877ad13bcde9b49ad08ee3590fff

MD5 hash:

98022642ebbebdb98172f0323e641944

SHA1 hash:

2c394c3583a41b6f540b6832f5585a96300bcd37

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

8d2bb7a2e7ecfc9851a3794332e86f16dacedb865426a9dfe1a2eb8d629afca9

MD5 hash:

7d111b693996ed29a75f1f8126d80e61

SHA1 hash:

43ec972004723eb31e7e3edacfda556e46dfd6e5

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

bb54f9a9820cdd1d0945c64023393511b2505c54367bdae4c3d3b63b5c859e73

MD5 hash:

01c981b095a49fd87a5f5ca56a0af4b7

SHA1 hash:

8bdcd68982fa7a9ac3390b2845a5371b90fa3eb8

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

3aa395f65a4c7d67d4821d478328808409fa8bf0db5448787663c296fc85652e

MD5 hash:

bc8acfc2141fb98925f55201959881f2

SHA1 hash:

cc4d8f3476eccd2e89790fc9b1964c587621aeaf

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

SH256 hash:

404fcc48e9f7df60bb2e53a7ef232675f093705c8def57bb4599b75c171d742a

MD5 hash:

88fa6cec8ae352dee174671c682636db

SHA1 hash:

ed943da7677f9af82c157334629be50c429a89cc

Link:

https://www.unpac.me/results/19e1a98a-c27b-4eff-b04a-5e0cf0351545/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	asyncrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	MALWARE_Win_LimeRAT Create hunting rule
Author:	ditekshen
Description:	LimeRAT payload

Rule name:	Reverse_text_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Reverse text detected

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_asyncrat_j1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects AsyncRAT

Rule name:	win_asyncrat_w0 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect AsyncRat in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample