lu0bot

Sharing

Copy URL

Twitter E-mail

General

Target

gcleaner 27July.zip
Size

2.8MB
Sample

210727-v21jpeshts
MD5

eef97e21331f6cee5979d4b2ee0d0e58
SHA1

33b83bb71b6045cbcbbbc73b127cf89d11677918
SHA256

3e458be66bcf00d7be180728e6b4abda715cadd1788dbcdbeda322d64b47e999
SHA512

e782528407ef86134d052ad1649c4c7fb9f592b23569c53d3753de16717226e4a596b364cf9d8aed634d5ee93afdb3a7f5625f375d4c5bab63dd3e81434b54a3

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

39.7

Botnet

818

https://shpak125.tumblr.com/

Attributes

profile_id
818

Targets

- Target
  
  eufive_20210727-123655(1)
- Size
  
  3KB
- MD5
  
  8705b09520e5b460cdee9b5e9fbba0a0
- SHA1
  
  28a6a1ecdd518b457fcfd9cd492c44b91f299cdd
- SHA256
  
  2c6a67dfddb50c345b9b168994067d82d126315930c84d00b549dc6a8e8aa711
- SHA512
  
  0d77222abf2099fd20847e138d206c609fa383fe6dc7dc1c419017de55dcf1da88df84f91fce5b34ffd4a756c1820b653400fbf6139d389ff63f6aa79dc8c7ac
Score

1^/10
behavioral1 behavioral2
- Target
  
  eufive_20210727-125230(1)
- Size
  
  3KB
- MD5
  
  a761191fcfbb734c45f3d7ba61d2ccde
- SHA1
  
  3d37da91baf133d14e746d85cc9d8197d78cd0b9
- SHA256
  
  545b3f1af9322de70ef2b27c9b383be4f6c22f508320d55d4b3787cc0eebce50
- SHA512
  
  6add2e95ba16cac3ffc60697df7df9ba30b437aed94a1593bce7808ae686f980792a7327e8a204e40ba149b9d42045a3952ba1e32b0a5f24a0d3e38488f8a6ed
Score

10^/10

lu0bot discovery stealer suricata trojan
- Lu0bot
  Lu0bot is a lightweight infostealer written in NodeJS.
  trojan stealer lu0bot
- suricata: ET MALWARE lu0bot Loader HTTP Request
  suricata
- suricata: ET MALWARE lu0bot Loader HTTP Response
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral3 behavioral4
- Target
  
  eufive_20210727-174641
- Size
  
  3KB
- MD5
  
  13e7feb9430554945b5aa4f6b5524d66
- SHA1
  
  3d644cfe881c9c5e80f94f0173dc3fa3169e145b
- SHA256
  
  bf44cfa6534d38b172ea611502230f1978f26a28cb1b510ed1c2cd6bd15f007f
- SHA512
  
  271912df0b8a74a9081a1c3457ac4290c19cd88ade2d42a48683d187aea9391c3fa6505154dcfa15358c3ca273c2203548c3d579dad0b4d063fd91d72bf4cc08
Score

10^/10

lu0bot discovery stealer suricata trojan
- Lu0bot
  Lu0bot is a lightweight infostealer written in NodeJS.
  trojan stealer lu0bot
- suricata: ET MALWARE lu0bot Loader HTTP Request
  suricata
- suricata: ET MALWARE lu0bot Loader HTTP Response
  suricata
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral5 behavioral6
- Target
  
  mixazed_20210727-123659(1)
- Size
  
  587KB
- MD5
  
  cf0e22b94c52719fe9ea4bf41a78bacd
- SHA1
  
  b3065e236f7084da9648fd6e7d835746b9697ef7
- SHA256
  
  29f1fb21f3d56e989819a03d69270f700adcc6112f15d63c61bc8b950d08bfbd
- SHA512
  
  4174f0b3f45b49cbdc84bedddc18b108394a08d46bbfa6271999d1156ddb9689967742abb63ebdf1de44d3494a832f5afcc7d4d45585bf991028c95406791f82
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7 behavioral8
- Target
  
  mixazed_20210727-132631(1)
- Size
  
  587KB
- MD5
  
  245892804c29606229b19495b5821203
- SHA1
  
  9cba70fd93c62a836473acec047a5e564eb20279
- SHA256
  
  6e42f1d40f5b6081f5fcf108855ea6d41ff66f2d2f29a0116d8bef13511a2d0c
- SHA512
  
  382d29e1031c1681bc68198bad432698daea1bc46a43a599f19c43bbbb42566c3109b74f4fc4b234ff82d8ecf856ef4907d3dca40f53357f827d475b7d79b8b8
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral9 behavioral10
- Target
  
  mixazed_20210727-134206(1)
- Size
  
  586KB
- MD5
  
  f41543a644518a10310dc1ad0f426a2f
- SHA1
  
  ff264d3050f0ba4b051297436d179f8ae085f0dd
- SHA256
  
  4cadd46b6ff2ab3dc1ebcf6687480e22da27c4b44902a9d13d3a0c7454b6c854
- SHA512
  
  f2b95fd006cb9b77bd0c820158bf39d32f983fbffac86defa662c5430e3db8c789aa69a7593aa9a26c9737066e8b55a550b83f66231d5b816c7523e4bf67194e
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral11 behavioral12
- Target
  
  mixsix_20210727-190432(1)
- Size
  
  1.2MB
- MD5
  
  a534cfd4be201d21fadbf222466b4bca
- SHA1
  
  ff937711252ca8b2394cb8baa29573de74b6c337
- SHA256
  
  c62ad002abbd09658ffd493be169df816d4432bdcbb4f34e054cbf8615c26308
- SHA512
  
  4f6ca1ab46ffa09d4c45af46670de439b06e534e179b65b6c3a9f5be444784db8845f2646302efd900bc7c5dab638da9f0078cf0f13912260d832ceb0c8c1e2d
Score

8^/10

discovery spyware stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  usfive_20210727-123716(1)
- Size
  
  665KB
- MD5
  
  47753a43e07b40887ebb2ebe814ef4f0
- SHA1
  
  3f7dbd5d3407b7250bf0cc9a2c8dc83167c209be
- SHA256
  
  38dabf5820cdd270c14b0157c883e2e53f38bc24824e66948dad824d7b077de1
- SHA512
  
  b6c62d1c5c809027433380ae8186300ef0f2b6b2fa8e79a581f4575020c4feadfce000a65e7d5f4c7d25051e79b4908dfbc7f48598a03e5142ff1f97cfdccf32
Score

10^/10

vidar 818 discovery spyware stealer suricata
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

suricata: ET MALWARE lu0bot Loader HTTP Request

suricata: ET MALWARE lu0bot Loader HTTP Response

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Lu0bot

suricata: ET MALWARE lu0bot Loader HTTP Request

suricata: ET MALWARE lu0bot Loader HTTP Response

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of SetThreadContext

Vidar

suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

Vidar Stealer

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16