MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0Bot


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005
SHA3-384 hash: ed8b00b4d8c25b26064f6d65097bab10a06f6ad581fa453f29f11d2f9f16f23d5962019e0c9a60013a85494a656c736c
SHA1 hash: 13afc4291b20736c7191ea99ca6370bf16a8d0ad
MD5 hash: 774f34a4c76cb6cc74e39124ae7684da
humanhash: connecticut-iowa-equal-eight
File name:774f34a4c76cb6cc74e39124ae7684da
Download: download sample
Signature Lu0Bot
Create hunting rule
File size:2'316'800 bytes
First seen:2023-04-02 14:56:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:pU2q08HdEFVwcQYTTekQ3YbF4tPKJ5pxP5SoNDGhg:dAlvCTWYbF9P5TDGh
Threatray 259 similar samples on MalwareBazaar
TLSH T18EB5339326ED4678D6B3A7B448F389970F79BC012925855BB1EB8D8868F06C06D3437F
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:774f34a4c76cb6cc74e39124ae7684da exe Lu0Bot

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
774f34a4c76cb6cc74e39124ae7684da
Verdict:
Malicious activity
Analysis date:
2023-04-02 14:58:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/227d9141-8150-4969-ac0a-a29a60050fec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/379350/
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76109/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Labled as:
Packed.CAB
Link:
https://www.hybrid-analysis.com/sample/b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4ebeb314-e67f-4ebc-aaed-751267e9162e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1206592
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 839508 Sample: jV8txAAMTY.exe Startdate: 02/04/2023 Architecture: WINDOWS Score: 48 23 Multi AV Scanner detection for submitted file 2->23 7 jV8txAAMTY.exe 1 8 2->7         started        10 rundll32.exe 2->10         started        process3 file4 19 C:\Users\user\AppData\Local\...\eddudsnlh.dat, PE32+ 7->19 dropped 12 cmd.exe 2 7->12         started        process5 file6 21 C:\Users\user\AppData\Local\...\conhost.exe, PE32 12->21 dropped 15 conhost.exe 12->15         started        17 conhost.exe 1 12->17         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=we3dhmy6q4clmpmxpeq5dsnefbf72r4aypzvuw7og4ubnv56wacq._file
Verdict:
suspicious
Similar samples:
155c76210badfc3ef9bfc764a7ab3cb9702f76c9d63351a213f61d44abbf0b4f
Lu0Bot
18055486aef1f706a69134be283fffdad9c49f5ffecda5d869e74c2ae882cd6c
Lu0Bot
242467ea19694c0e6cd76dcff901f5af6a309c2c999971b1dc4cd9bad253ea19
Lu0Bot
38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
Lu0Bot
4b4eb8ac2362a026112033f822d2b84d5da55e18c922790d8dd2a905fdaad8cb
Lu0Bot
5920894ae997b61f27b53c9f6e598df5f928acb11a5dc09f4fa0627747f1312d
Lu0Bot
8b3915b52f03e8a23c59146ceb7f9d50b0a59e466c2c4e1f3ac3e7875106350e
Lu0Bot
ae54c18727715192eb0e5160f7ef9f7ff2382a517679a6c84e1136280ed11aee
Lu0Bot
+ 249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230402-sblntagg92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
a5a883b80fb701928c357ceb2ef01ad128d5b3c7a9ec166e4cc43615fa8b2f9b
MD5 hash:
428a840e1cff6163db1e71f3ead7a80c
SHA1 hash:
56c9a1118f8368cfa5c35b7fc1408cd1123a845b
Link:
https://www.unpac.me/results/c16bfde9-2e56-4794-b3bd-0c4a0154685b/
SH256 hash:
b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005
MD5 hash:
774f34a4c76cb6cc74e39124ae7684da
SHA1 hash:
13afc4291b20736c7191ea99ca6370bf16a8d0ad
Link:
https://www.unpac.me/results/c16bfde9-2e56-4794-b3bd-0c4a0154685b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Macro_Presence
Create hunting rule
Author:Mehmet Ali Kerimoglu (CYB3RMX)
Description:This rule detects common malicious/suspicious implementations.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/379350/

Comments