MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Lu0Bot

Vendor detections: 10

Intelligence 10 IOCs YARA 7 File information Comments

SHA256 hash:	169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21
SHA3-384 hash:	ff40dd709d494d75dd7f8363631134642db70e2e2a4b3a24ce1cfbdc2c75a4598300b63f716c5b5f04d55e473ed997f7
SHA1 hash:	6bfb70d4265675a09eb2d980b4a10c3bbc077004
MD5 hash:	65ef2eef1ccf3146b44010406a235cb7
humanhash:	asparagus-zebra-robert-louisiana
File name:	file
Download:	download sample
Signature	Lu0Bot Create hunting rule
File size:	3'979'440 bytes
First seen:	2023-10-05 17:47:31 UTC
Last seen:	2023-10-06 09:57:24 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep	98304:7bnvZYMmLfTUUzZbxksBk5ahKmZLcRp+VGQIjguwnf+z:XvZN0TUIZFHBk5hkIr+VVIjv9
Threatray	85 similar samples on MalwareBazaar
TLSH	T11D063311BAC4902AFCE82F7060FE22E70A3E7DBA195562870655586C9FF36C057743BB
TrID	70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.7% (.EXE) Win64 Executable (generic) (10523/12/4) 2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter	andretavare5
Tags:	exe Lu0Bot signed

Code Signing Certificate

Organisation:	Polo Soft Corp
Issuer:	Polo Soft Corp
Algorithm:	sha256WithRSAEncryption
Valid from:	2023-09-25T13:32:54Z
Valid to:	2033-09-22T13:32:54Z
Serial number:	10cfce6a5a98c3edb58f5407e4d076ce0650612c
Thumbprint Algorithm:	SHA256
Thumbprint:	aafd760b1de50656150ed8a25659f2be5d152b12fec80875e172457f8fb7d494
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from https://cdn.discordapp.com/attachments/1138093608747143333/1159527975616790618/fotha0925877.exe?ex=65315994&is=651ee494&hm=3ef25bde629919d016980588cc12e912244bb46930e942dd8eb1b373ba687cf7&

Intelligence

File Origin

# of uploads :

# of downloads :

327

Origin country :

Vendor Threat Intelligence

Malware family:

lu0bot

ID:

File name:

65ef2eef1ccf3146b44010406a235cb7.exe.vir

Verdict:

Malicious activity

Analysis date:

2023-10-06 02:00:59 UTC

Tags:

lu0bot botnet backdoor stealer

Link:

https://app.any.run/tasks/eda8baa7-d95e-4e6c-bb56-8e292ab3064b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29170.UNOFFICIAL

SecuriteInfo.com.Heur.7237.15680.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Creating a process with a hidden window

Creating a process from a recently created file

Сreating synchronization primitives

DNS request

Sending a UDP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

advpack CAB cmd control expand explorer installer lolbin lolbin overlay packed replace rundll32 setupapi shell32

Link:

https://www.filescan.io/uploads/651ef6d3a31588d184f23e95/reports/ce8d94f5-330f-4ccf-ab0c-737412c33bb4/overview

Verdict:

Malicious

Labled as:

Trojan/Generic

Link:

https://www.hybrid-analysis.com/sample/169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/59a0fe47-3765-404f-ad5b-10671e04de2f

Result

Threat name:

Lu0Bot

Detection:

malicious

Classification:

spyw.evad

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1320484

Signature

Yara detected Lu0Bot

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2nsh5cxq6qccmkdxw5ucjlfrnf64ghhjs4ythajykjdhad3zuqq._file

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/231005-wdevtsdd4x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

2d6d50a76d2d0e48a59357c91acbaf3886969192a928c83dea2f1e1aabcef400

MD5 hash:

3f7a6d6d52112030dda38bbf844312ef

SHA1 hash:

6b6462d76fbbfa65b9b93d6dc02f38ef50209362

Link:

https://www.unpac.me/results/8e3fee4f-9868-4f14-b742-001cd7c35a1d/

SH256 hash:

169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21

MD5 hash:

65ef2eef1ccf3146b44010406a235cb7

SHA1 hash:

6bfb70d4265675a09eb2d980b4a10c3bbc077004

Link:

https://www.unpac.me/results/8e3fee4f-9868-4f14-b742-001cd7c35a1d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/169b23f45787/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/169b23f45787a0213143bdbb4125658b4bee18e74cb9899c09c29233807bcd21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	detect_Redline_Stealer Create hunting rule
Author:	Varp0s

Rule name:	lu0bot_packer_1 Create hunting rule
Author:	Nikolaos 'n0t' Totosis
Description:	Detection of Lu0bot CAB packer.

Rule name:	lu0bot_wextract Create hunting rule
Author:	Rony (r0ny_123)
Description:	Detects wextract files delivering Lu0bot

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	WHIRLPOOL_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

URLhaus

https://urlhaus.abuse.ch/url/2717243/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample