MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lu0bot


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c
SHA3-384 hash: 0a49203a26dac4700f57991e212a19bfb1740dd8a9962be5fa509be69d14ef44a5c9ff610886a9cb9148fb19a7520b3c
SHA1 hash: 72cf1fea44687f03b7f5fc9af893dba0c9078d52
MD5 hash: a97e0c6b251ade8e08c5f677bc9c2e39
humanhash: kansas-ohio-oklahoma-georgia
File name:file.exe
Download: download sample
Signature Lu0bot
Create hunting rule
File size:2'440'704 bytes
First seen:2023-05-03 18:08:05 UTC
Last seen:2023-05-03 19:26:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 49152:26G5joOS6EeC1WpMxqWgOw41s3zEDD7PdOX+mvB5cKF9+5:+S/HopMxqWg56fxiVcKF
Threatray 270 similar samples on MalwareBazaar
TLSH T19BB533B6F5EA8723FC5497B05CF297871630799047E6C78A2BD0798D8AB36509C3730A
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe Lu0Bot

Intelligence

File Origin
# of uploads :
2
# of downloads :
263
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-05-03 18:10:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1b0592dc-e34a-45f1-a057-2b998cfa2b54

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386302/
Detection(s):
Sanesecurity.Malware.29170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Sending a UDP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/82348/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
90%
Tags:
advpack.dll CAB cmd.exe conhost exploit installer packed phishing rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6452a33fa020199dc647b902/reports/20caaae4-7b3f-4c0b-b6d9-cacad5470d73/overview
Verdict:
Suspicious
Labled as:
Packed.CAB
Link:
https://www.hybrid-analysis.com/sample/cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fc839279-5d62-4e43-b80e-c94d03087da9
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1225575
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 858537 Sample: file.exe Startdate: 03/05/2023 Architecture: WINDOWS Score: 48 23 Multi AV Scanner detection for submitted file 2->23 7 file.exe 1 9 2->7         started        10 rundll32.exe 2->10         started        process3 file4 19 C:\Users\user\AppData\...\edyhktidfr.dat, PE32+ 7->19 dropped 12 cmd.exe 2 7->12         started        process5 file6 21 C:\Users\user\AppData\Local\...\conhost.exe, PE32 12->21 dropped 15 conhost.exe 12->15         started        17 conhost.exe 1 12->17         started        process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zolm5mfsn7avbovkp7q4yktfv5bmpw4qf5kihflywmrvu7is2joa._file
Verdict:
suspicious
Similar samples:
242467ea19694c0e6cd76dcff901f5af6a309c2c999971b1dc4cd9bad253ea19
Lu0bot
38eab87af431cba1bbec5ca10fa9502a0b110c1baf6372f5c271584b02eb2857
Lu0bot
49ac79947d9ce11b0df34c8d18ea68d78e240dcd3d6cf8176fe10010493a5d3a
Lu0bot
8b3915b52f03e8a23c59146ceb7f9d50b0a59e466c2c4e1f3ac3e7875106350e
Lu0bot
b13633b31e8704b63d977921d1c9a4284bfd4780c3f35a5bee372816d7beb005
Lu0bot
b72f222928dada0a651782c863ea29cd26241aa31ceda87bdad68ea7c57d04c5
Lu0bot
bf5b770fa754d54c658f859e85873708b92b757179eb761629d0ea83f6d5f9cb
Lu0bot
+ 260 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230503-wrfpaafg99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
9cd461b4db912bb9b6737b478231699f9da41e8e1e492e0f2608d45fe3ff3ee6
MD5 hash:
7debfc8a046f2b10e39b8612acf93311
SHA1 hash:
a406e23bdaddbba131315cd18822239d585e9969
Link:
https://www.unpac.me/results/1aa82637-f313-4b68-8f27-5f2746c1da8f/
SH256 hash:
cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c
MD5 hash:
a97e0c6b251ade8e08c5f677bc9c2e39
SHA1 hash:
72cf1fea44687f03b7f5fc9af893dba0c9078d52
Link:
https://www.unpac.me/results/1aa82637-f313-4b68-8f27-5f2746c1da8f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cb96ceb0b26f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb96ceb0b26fc150baaa7fe1cc2a65af42c7db902f54839578b3235a7d12d25c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:lu0bot_packer_1
Create hunting rule
Author:Nikolaos 'n0t' Totosis
Description:Detection of Lu0bot CAB packer.
Rule name:lu0bot_wextract
Create hunting rule
Author:Rony (r0ny_123)
Description:Detects wextract files delivering Lu0bot

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/386302/

Comments