MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf
SHA3-384 hash: cf12ed6fe6b2570515ee5057747ecc3d7594ccd4b1648e73faed6cbb0b4645530c1c9157cbc0a6cee9dfcedb12b56a48
SHA1 hash: fbd1011edabf7e5075a60be544e6cff997d05c6c
MD5 hash: 8368b877e634ff66c575dec32e44e1c5
humanhash: solar-river-music-artist
File name:8368b877e634ff66c575dec32e44e1c5.exe
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'633'384 bytes
First seen:2023-07-19 06:33:11 UTC
Last seen:2023-07-20 02:25:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:E4i5RGU3BzRFRcXkEGNs9uOTb/hvHV8omIiguWHU0S0UMof8ts/CqMDYLByly:nMRl3xXiU5El18omGVyCo9Cd0ByA
TLSH T1E0C5330652C97211ECE337B44EFA23E71C387C80A7721BA7291CC8A915B669894B577F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Lu0Bot signed

Code Signing Certificate

Organisation:Polo Soft Corp
Issuer:Polo Soft Corp
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-15T23:26:32Z
Valid to:2033-07-12T23:26:32Z
Serial number: 24bf31771ebd8b77a4da2489b1619ae85c01d607
Thumbprint Algorithm:SHA256
Thumbprint: 15402cd1b50126a05ad0f620547f82aa7f2d17f50462cba59b24eae34ec735c2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
4
# of downloads :
288
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8368b877e634ff66c575dec32e44e1c5.exe
Verdict:
Malicious activity
Analysis date:
2023-07-19 06:37:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6da8b103-4dc4-4654-9596-ba3cf9355489

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424502/
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.7237.15680.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
90%
Tags:
advpack CAB cmd control expand explorer installer lolbin lolbin overlay packed rundll32 setupapi shell32
Link:
https://www.filescan.io/uploads/64b783dc2ad0f7418d6a27d8/reports/fee7eb73-e7ef-4ebc-8175-8db8894f47b1/overview
Verdict:
Malicious
Labled as:
Trojan/Generic
Link:
https://www.hybrid-analysis.com/sample/31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1e5aa53c-c1d9-45a1-8dc0-d66fb3b562e4
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1275700
Signature
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1275700 Sample: pmcrQ9jSjc.exe Startdate: 19/07/2023 Architecture: WINDOWS Score: 56 24 Multi AV Scanner detection for submitted file 2->24 7 pmcrQ9jSjc.exe 1 9 2->7         started        10 rundll32.exe 2->10         started        process3 file4 20 C:\Users\user\AppData\Local\...\goixymry.dat, PE32+ 7->20 dropped 12 cmd.exe 2 7->12         started        process5 file6 22 C:\Users\user\AppData\Local\...\fulelepip.exe, PE32 12->22 dropped 15 fulelepip.exe 1 12->15         started        18 conhost.exe 12->18         started        process7 signatures8 26 Found evasive API chain (may stop execution after checking system information) 15->26 28 Found API chain indicative of debugger detection 15->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 07:55:46 UTC
File Type:
PE (Exe)
Extracted files:
42
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gh5ehwmky5bjaxhqi42qgpqvj7iqhpdhyjk45rr2orek2e4n6dhq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230719-hbrvqagc46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
2d6d50a76d2d0e48a59357c91acbaf3886969192a928c83dea2f1e1aabcef400
MD5 hash:
3f7a6d6d52112030dda38bbf844312ef
SHA1 hash:
6b6462d76fbbfa65b9b93d6dc02f38ef50209362
Link:
https://www.unpac.me/results/3deaa629-1a92-44bd-a024-8f44404c8736/
SH256 hash:
31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf
MD5 hash:
8368b877e634ff66c575dec32e44e1c5
SHA1 hash:
fbd1011edabf7e5075a60be544e6cff997d05c6c
Link:
https://www.unpac.me/results/3deaa629-1a92-44bd-a024-8f44404c8736/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/31fa43d98ac7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:lu0bot_packer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Detection of Lu0bot CAB packer.
Rule name:lu0bot_wextract
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects wextract files delivering Lu0bot
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Lu0Bot

Executable exe 31fa43d98ac742905cf04735033e154fd103bc67c255cec63a7448ad138df0cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2685554/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/424502/

Comments