MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973
SHA3-384 hash: 071c0971ed1649238715c76dfca607997d8615a84644d0ae26e1fa93e02a6cf6bf05c565c228591f1c6d5c2ef5e6f260
SHA1 hash: 6c3d984c0ca199395713289365ba0801b3d8ed47
MD5 hash: c05bd7a14d725a1862c5a8e6cb77b447
humanhash: undress-purple-tango-don
File name:c05bd7a14d725a1862c5a8e6cb77b447.exe
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'378'752 bytes
First seen:2023-04-10 11:11:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:/I4OP5COu3O1nMS3kA877PA1uYl9G1VxV9S16KPOHAbX1d:8kOu3G3Z1u+9G1t9MpOHABd
Threatray 263 similar samples on MalwareBazaar
TLSH T143B5335272EC4437E67483300AEA45C7093AB975AE38425FABC6ED991FB37C07468B17
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c05bd7a14d725a1862c5a8e6cb77b447.exe
Verdict:
Malicious activity
Analysis date:
2023-04-10 11:14:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7e0da5f-4212-4e62-8f61-33d40a0cef18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/381189/
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/77222/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Labled as:
Packed.CAB
Link:
https://www.hybrid-analysis.com/sample/0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6ce48efa-cd1e-482c-9c65-332a0bcb1ac2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1211061
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 843977 Sample: TBfeXS6VYm.exe Startdate: 10/04/2023 Architecture: WINDOWS Score: 56 24 Multi AV Scanner detection for submitted file 2->24 7 TBfeXS6VYm.exe 1 8 2->7         started        10 rundll32.exe 2->10         started        process3 file4 20 C:\Users\user\AppData\...\edqiiokteur.dat, PE32+ 7->20 dropped 12 cmd.exe 2 7->12         started        process5 file6 22 C:\Users\user\AppData\Local\...\conhost.exe, PE32 12->22 dropped 15 conhost.exe 1 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 26 Found evasive API chain (may stop execution after checking system information) 15->26 28 Found API chain indicative of debugger detection 15->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4mlecn5suyvxa2h2pyann62hb7zqbyvh27iwj4ifbjjnym3lfzq._file
Verdict:
suspicious
Similar samples:
155c76210badfc3ef9bfc764a7ab3cb9702f76c9d63351a213f61d44abbf0b4f
Lu0Bot
18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c
Lu0Bot
242467ea19694c0e6cd76dcff901f5af6a309c2c999971b1dc4cd9bad253ea19
Lu0Bot
38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
Lu0Bot
4b4eb8ac2362a026112033f822d2b84d5da55e18c922790d8dd2a905fdaad8cb
Lu0Bot
5920894ae997b61f27b53c9f6e598df5f928acb11a5dc09f4fa0627747f1312d
Lu0Bot
8b3915b52f03e8a23c59146ceb7f9d50b0a59e466c2c4e1f3ac3e7875106350e
Lu0Bot
ae54c18727715192eb0e5160f7ef9f7ff2382a517679a6c84e1136280ed11aee
Lu0Bot
+ 253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230410-nat7caaf9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
2bccdd561ce0bce62025fcbac3026d4ac0a68c9d8df6dfef43b87848079bfb93
MD5 hash:
1c019d8c415aaa3bd61561c91d45147f
SHA1 hash:
c78147377a193fdcccc4dd39acd5a07bc0912389
Link:
https://www.unpac.me/results/0ef2cbe8-50d4-4b4d-adb6-2cfd21f424b6/
SH256 hash:
0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973
MD5 hash:
c05bd7a14d725a1862c5a8e6cb77b447
SHA1 hash:
6c3d984c0ca199395713289365ba0801b3d8ed47
Link:
https://www.unpac.me/results/0ef2cbe8-50d4-4b4d-adb6-2cfd21f424b6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0718b209bd95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0718b209bd95315b8347d3f006b7da387f9807153ebe8b2788285296e19b5973

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:lu0bot_wextract
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects wextract files delivering Lu0bot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/381189/

Comments