MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af
SHA3-384 hash: a9078ae204a9cf4582e6598f55cb09a4f70d0765def8dd382995eb6e944ffa332fd74305ad9f52fcc43c6eaaf466507c
SHA1 hash: df78c1cca98d6f260f744a2b0639e1fff1c11a5e
MD5 hash: 463127c9a2b5eb1bca799aced10e4954
humanhash: sodium-dakota-blossom-lamp
File name:usfive_20210720-060205
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:3'072 bytes
First seen:2021-07-20 08:13:12 UTC
Last seen:2021-07-20 08:42:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bacb1b451bd198b6224176f15e1822f4 (1 x Lu0Bot)
ssdeep 48:629BhkUjgKFW4guqoTkHr0QZKhkUjgKFGwnBa6laBSh:xE4xTkHrqQAZaA
Threatray 18 similar samples on MalwareBazaar
TLSH T1D451954B85E658C6E29E9676519B840DE3E1F82043FA01321B08967A48D3321A27DF38
Reporter benkow_
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
usfive_20210720-060205
Verdict:
Malicious activity
Analysis date:
2021-07-20 08:16:01 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/cf976270-1a52-4250-93c7-4da9fd79a83c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lu0Bot
Create hunting rule
Link:
https://www.capesandbox.com/analysis/172725/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.407.5324.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3061facb-9fff-46b0-bf21-5e4bf3ea2f5d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/818735
Signature
Downloads files via mshta.exe (likely to bypass HIPS)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Mshta JavaScript Execution
Sigma detected: MSHTA Spawning Windows Shell
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451146 Sample: usfive_20210720-060205 Startdate: 20/07/2021 Architecture: WINDOWS Score: 80 59 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Sigma detected: Mshta Spawning Windows Shell 2->63 65 2 other signatures 2->65 10 usfive_20210720-060205.exe 2->10         started        process3 signatures4 69 Downloads files via mshta.exe (likely to bypass HIPS) 10->69 13 mshta.exe 1 10->13         started        process5 dnsIp6 47 asu00.xyz 5.188.206.211, 19584, 49711, 49714 KREZ999ASBG Russian Federation 13->47 49 asu02.shop 13->49 71 Obfuscated command line found 13->71 17 cmd.exe 4 13->17         started        signatures7 process8 signatures9 57 Obfuscated command line found 17->57 20 cscript.exe 2 17->20         started        23 cscript.exe 2 17->23         started        26 expand.exe 8 17->26         started        29 conhost.exe 17->29         started        process10 dnsIp11 67 Obfuscated command line found 20->67 31 node.exe 3 20->31         started        45 asu02.shop 23->45 35 MpCmdRun.exe 1 23->35         started        43 C:\...\7900da021949fd4a966f16711fced30e.tmp, PE32 26->43 dropped file12 signatures13 process14 dnsIp15 51 lu0.viewdns.net 31->51 53 asu00.xyz 31->53 55 Performs DNS queries to domains with low reputation 31->55 37 conhost.exe 31->37         started        39 cmd.exe 31->39         started        41 conhost.exe 35->41         started        signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 07:09:24 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qy6gcjzu6x7q74hkh7wx7v4q362dyr7ozxauc66nqlak3btedgxq._file
Verdict:
unknown
Similar samples:
3139ed0df84c327db60fb109ac29aee322c9340327a24382270c321fa645a2e5
Lu0Bot
4636055b5170ddb11d94a466c0c93e57ad40caf68a036274bdf2ded620a22bce
Lu0Bot
79f15bc55fcc0e2f863a81accfb76b601531a909ebf009d57176dd18edf46d7d
Lu0Bot
805a071c8e38fca4e3602881ff33ac7a2afba65bb61cd7adda873950bf2779cb
Lu0Bot
9435308eb1024c0e11753dc2412b9243af69d7388817e3aebc59a4a58f2ec372
Lu0Bot
9abd8b37403ea5e7b381e0644acc6655dc01efc4be1edf69992c5a68c33eff1f
Lu0Bot
aeccef59002b851b685cf54307f906c06adb065b68c3eff112f4b0f1442d1349
Lu0Bot
bdad93534a202f7d3c2f102dc39093fa12a32f5de82c76a5fb41a94e1748d99e
Lu0Bot
d325c45529e7211242f65cabe3549dd635a23fc43b48c2b2a64ccff8d54c1ee2
Lu0Bot
+ 8 additional samples on MalwareBazaar
Result
Malware family:
lu0bot
Create hunting rule
Score:
  10/10
Tags:
family:lu0bot discovery stealer trojan
Link:
https://tria.ge/reports/210720-9dv9wttvax/
Behaviour
Checks processor information in registry
Enumerates processes with tasklist
Gathers network information
Gathers system information
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Lu0bot
Unpacked files
SH256 hash:
863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af
MD5 hash:
463127c9a2b5eb1bca799aced10e4954
SHA1 hash:
df78c1cca98d6f260f744a2b0639e1fff1c11a5e
Link:
https://www.unpac.me/results/c61ee7e3-d51f-4e1a-804b-24484bbf266b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/863c612734f5ff0ff0ea3fed7fd790dfb43c47eecdc1417bcd82c0ad866419af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://fumik0.com/2021/06/24/lu0bot-an-unknown-nodejs-malware-using-udp/
  
Dropped by
GCleaner
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/172725/

Comments