MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee
SHA3-384 hash: c4f5b25a091c55eebd14930fa5240ccb4d0d3a7c7ac417a5c1c7d333c8f148a49b3850df62bb04c156602e67c4037e3f
SHA1 hash: cdc7a9cf8ee36099c823779ac2dd8ffe3a84d723
MD5 hash: 4a6ac8d48c9793c0c852a6ac93ba2002
humanhash: alaska-shade-lemon-king
File name:usfive_20210818-031956
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'560 bytes
First seen:2021-08-18 14:29:03 UTC
Last seen:2023-09-27 13:51:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d0e384aa95abd36d281a3e456d0e4dbe (1 x Lu0Bot)
ssdeep 24:etGSB4iEcc2Es92sSwSo8cJFmGhlqPMozfv1jTdpVY1YR8Xm2rfepDEIBS:6CFc0XspSo8MFjoxzH1jNY1dhrcEIBS
Threatray 6 similar samples on MalwareBazaar
TLSH T1E151B61F79DB1CB0C1CA433502826F8C34779654976A83310793143E713AF39282EF6A
Reporter benkow_
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
usfive_20210818-031956
Verdict:
Malicious activity
Analysis date:
2021-08-18 14:30:59 UTC
Tags:
trojan lu0bot
Link:
https://app.any.run/tasks/75d6443c-17aa-45b8-91af-2973f3982f81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lu0Bot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180361/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.29503.23721.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6d3d9004-4a0d-4a0a-98e9-a6def6d960f4
Result
Threat name:
Lu0Bot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/835186
Signature
Downloads files via mshta.exe (likely to bypass HIPS)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Mshta JavaScript Execution
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lu0Bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467617 Sample: usfive_20210818-031956 Startdate: 18/08/2021 Architecture: WINDOWS Score: 84 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Lu0Bot 2->56 58 3 other signatures 2->58 10 usfive_20210818-031956.exe 2->10         started        process3 signatures4 62 Downloads files via mshta.exe (likely to bypass HIPS) 10->62 13 mshta.exe 1 10->13         started        process5 dnsIp6 44 asu10.fun 5.188.206.211, 19584, 49704, 49705 KREZ999ASBG Russian Federation 13->44 64 Obfuscated command line found 13->64 17 cmd.exe 4 13->17         started        signatures7 process8 signatures9 50 Obfuscated command line found 17->50 20 cscript.exe 2 17->20         started        23 cscript.exe 2 17->23         started        26 expand.exe 8 17->26         started        29 conhost.exe 17->29         started        process10 dnsIp11 60 Obfuscated command line found 20->60 31 node.exe 3 20->31         started        42 asu10.fun 23->42 38 C:\ProgramData\DNTException\node.exe (copy), PE32 26->38 dropped 40 C:\...\42b02afe324de742b33987e7e1623b95.tmp, PE32 26->40 dropped file12 signatures13 process14 dnsIp15 46 lu1.viewdns.net 31->46 48 asu10.fun 31->48 34 conhost.exe 31->34         started        36 cmd.exe 31->36         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 14:30:07 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=akl3xmhqbm7vsgeu5phqilzmnmhnkltgmlppdko3zihy2iathtxa._file
Verdict:
unknown
Similar samples:
053e7603d2776f39c17d74cd5a095d2fa4727ce019cb91274c135be4b9732358
Lu0Bot
9db5c02ac4e161369160fe13719a212e55377dd57ffc9f98b7141bce3b9df26c
Lu0Bot
9ddc9ee2af5c7f4c792ea3b4887828ea5bf494c2591f4de09de456b94f142e7a
Lu0Bot
cb23aeac6382ff99608a71e3b416c1ca22f5f301474840239e4c319db31cef25
Lu0Bot
db246897a0efe3c4b3cd4b9f832067815fa920045e9a5a3d0881dc9ffd958fb0
Lu0Bot
Result
Malware family:
lu0bot
Create hunting rule
Score:
  10/10
Tags:
family:lu0bot discovery stealer suricata trojan
Link:
https://tria.ge/reports/210818-dd58xx2gsa/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Gathers network information
Gathers system information
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Lu0bot
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata: ET MALWARE lu0bot Loader HTTP Response
Unpacked files
SH256 hash:
0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee
MD5 hash:
4a6ac8d48c9793c0c852a6ac93ba2002
SHA1 hash:
cdc7a9cf8ee36099c823779ac2dd8ffe3a84d723
Link:
https://www.unpac.me/results/6a50e459-98d6-4c2b-b0cb-af77cd057730/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/180361/

Comments