MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d721df670fdb63c643b3de2dcdd46311b8d94d2753b47ad0035392644dee77a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d721df670fdb63c643b3de2dcdd46311b8d94d2753b47ad0035392644dee77a
SHA3-384 hash: 70c61cf29741462d81c32bc5a3b5f208c19f5eb1ddc5198d67bd4e637f5f74ee557bc7a6631879ad4f728fe9f0033a22
SHA1 hash: 5da276eab60258a394cbb4bc2c3ff3570e202f5a
MD5 hash: 090ca6d0cf757ef15a469652e75c05d7
humanhash: princess-winner-lactose-crazy
File name:usfive_20211007-143832
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'560 bytes
First seen:2021-10-07 13:40:29 UTC
Last seen:2021-10-07 15:09:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5a1176fc39ed148165dbe2da2bad74 (1 x Lu0Bot)
ssdeep 48:6jY/IjbcYCF+IBuVRdjMdxyC3tQ7lRvRvSlBS:b/1vuBAyCSf5vSlA
Threatray 6 similar samples on MalwareBazaar
TLSH T16D51DB3BA7B34FF2E229B377022BDB0536B5D430137750360B276179666ED6B4468B01
Reporter benkow_
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
2
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
usfive_20211007-143832
Verdict:
Suspicious activity
Analysis date:
2021-10-07 13:41:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/22463003-6b8a-47d0-a6ec-804ce0e6c092

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195856/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.24140.819.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/615ef8f2b95458900cde2d95/reports/595f0945-33b8-4e38-acc3-951c2a616bfe/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7cdf949-d9b1-4f0c-b599-4dfca60b4d14
Result
Threat name:
Lu0Bot
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/866420
Signature
Downloads files via mshta.exe (likely to bypass HIPS)
Obfuscated command line found
Sigma detected: Mshta JavaScript Execution
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Yara detected Lu0Bot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498845 Sample: usfive_20211007-143832 Startdate: 07/10/2021 Architecture: WINDOWS Score: 72 52 Yara detected Lu0Bot 2->52 54 Sigma detected: Mshta Spawning Windows Shell 2->54 56 Sigma detected: Mshta JavaScript Execution 2->56 58 2 other signatures 2->58 10 usfive_20211007-143832.exe 2->10         started        process3 signatures4 62 Downloads files via mshta.exe (likely to bypass HIPS) 10->62 13 mshta.exe 1 10->13         started        process5 dnsIp6 44 olo57.shop 31.214.157.112, 49717, 49731, 80 RACKPLACEDE Germany 13->44 64 Obfuscated command line found 13->64 17 cmd.exe 4 13->17         started        signatures7 process8 signatures9 50 Obfuscated command line found 17->50 20 cscript.exe 2 17->20         started        23 cscript.exe 2 17->23         started        26 expand.exe 8 17->26         started        29 conhost.exe 17->29         started        process10 dnsIp11 60 Obfuscated command line found 20->60 31 node.exe 3 20->31         started        42 olo57.shop 23->42 38 C:\ProgramData\DNTException\node.exe (copy), PE32 26->38 dropped 40 C:\...\cb4b3754e2719b438573f864d3b5bad6.tmp, PE32 26->40 dropped file12 signatures13 process14 dnsIp15 46 ran38.fun 104.244.79.125, 18223, 54155 PONYNETUS United States 31->46 48 ran38a.fun 31->48 34 conhost.exe 31->34         started        36 cmd.exe 31->36         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d721df670fdb63c643b3de2dcdd46311b8d94d2753b47ad0035392644dee77a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 13:41:13 UTC
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvzb35tq7w3dyzb3hxrnzxkggeny3fgsou5upliagu4smrg6455a._file
Verdict:
unknown
Similar samples:
0297bbb0f00b3f591894ebcf042f2c6b0ed52e6662def1a9dbca0f8d20133cee
Lu0Bot
4c99457625e752a03693aab64e2b5129eff89872c649194e81bd87809ed1ae13
Lu0Bot
863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af
Lu0Bot
9db5c02ac4e161369160fe13719a212e55377dd57ffc9f98b7141bce3b9df26c
Lu0Bot
cb23aeac6382ff99608a71e3b416c1ca22f5f301474840239e4c319db31cef25
Lu0Bot
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/211007-qy43kacfgq/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Gathers network information
Gathers system information
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
2d721df670fdb63c643b3de2dcdd46311b8d94d2753b47ad0035392644dee77a
MD5 hash:
090ca6d0cf757ef15a469652e75c05d7
SHA1 hash:
5da276eab60258a394cbb4bc2c3ff3570e202f5a
Link:
https://www.unpac.me/results/50aeee63-9db0-4cde-80e4-fb8a4062c090/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d721df670fdb63c643b3de2dcdd46311b8d94d2753b47ad0035392644dee77a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
GCleaner
Cape
Cape
https://www.capesandbox.com/analysis/195856/

Comments