MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c
SHA3-384 hash: ec7adc4ab5cf9f356ea2cdd438ad64a7ac0a09a89192223c13a5452274f255443175162efb3e6757b13f2561e3dbab2c
SHA1 hash: f627cffa4cf6502e8b5fef3158813778f5c19d53
MD5 hash: e5472cd4b33f5cad59901d4fea7c647d
humanhash: failed-nevada-early-lima
File name:file.exe
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'584'064 bytes
First seen:2023-05-26 18:30:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:rUG5joOS6EeC1WpMxqWgOw41s3zEDDygQ4wjXIPJdZBEMNcUH:pS/HopMxqWg56f1VCIPR/
Threatray 272 similar samples on MalwareBazaar
TLSH T10EC53362F998DA31EC6487705DF383C75730B59546BAD78A27D219CE0E732A4AC3331A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
1
# of downloads :
275
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Suspicious activity
Analysis date:
2023-05-26 18:33:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cd19b058-a589-452e-9eac-afe444372c81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/392240/
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/88053/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
90%
Tags:
advpack.dll CAB cmd.exe installer lolbin lolbin packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6470fae8f7d0a766534fd2c3/reports/c378ecb6-b8b8-42ef-9394-07a578024745/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e9a3aacd-5259-4e5b-ad7d-42a9c24d2015
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1243428
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 876437 Sample: file.exe Startdate: 26/05/2023 Architecture: WINDOWS Score: 48 23 Multi AV Scanner detection for submitted file 2->23 7 file.exe 1 9 2->7         started        10 rundll32.exe 2->10         started        process3 file4 19 C:\Users\user\AppData\...\gsebvpvnmv.dat, PE32+ 7->19 dropped 12 cmd.exe 2 7->12         started        process5 file6 21 C:\Users\user\AppData\Local\...\fuxckrqtv.exe, PE32 12->21 dropped 15 conhost.exe 12->15         started        17 fuxckrqtv.exe 1 12->17         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aklkijwupk7um7cddwy6cjvyoy7ky7igfzzrde7mzuk2khcs3j6a._file
Verdict:
suspicious
Similar samples:
242467ea19694c0e6cd76dcff901f5af6a309c2c999971b1dc4cd9bad253ea19
Lu0Bot
38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
Lu0Bot
49ac79947d9ce11b0df34c8d18ea68d78e240dcd3d6cf8176fe10010493a5d3a
Lu0Bot
6f7ab51e9f0d382c650743cb3c06b42708cd06d64170a458864e89ad6480a237
Lu0Bot
8b3915b52f03e8a23c59146ceb7f9d50b0a59e466c2c4e1f3ac3e7875106350e
Lu0Bot
b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005
Lu0Bot
b72f222928dada0a651782c863ea29cd26241aa31ceda87bdad68ea7c57d04c5
Lu0Bot
+ 262 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230526-w52hxagf96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
f882d0e3d21effc549fad672e8cf07dff1645c79c94fa5ff653fbe9eb0e7c6c7
MD5 hash:
e8d44712e6060d55e778eada190f22f5
SHA1 hash:
06e51285979ce93d7708e7b34011f66c6f20e896
Link:
https://www.unpac.me/results/4e731979-d640-4b06-a7d0-f63432b38f3e/
SH256 hash:
0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c
MD5 hash:
e5472cd4b33f5cad59901d4fea7c647d
SHA1 hash:
f627cffa4cf6502e8b5fef3158813778f5c19d53
Link:
https://www.unpac.me/results/4e731979-d640-4b06-a7d0-f63432b38f3e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0296a426d47a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0296a426d47abf467c431db1e126b8763eac7d062e731193eccd15a51c52da7c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:lu0bot_packer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Detection of Lu0bot CAB packer.
Rule name:lu0bot_wextract
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects wextract files delivering Lu0bot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/392240/

Comments