ioc[.]one - OSINT Cyber Threat Intelligence Database

Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities

Tags

cmtmf-attack-pattern:

Application Layer Protocol Obfuscated Files Or Information Scheduled Task/Job

attack-pattern:

Data Application Layer Protocol - T1437 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Botnet - T1583.005 Botnet - T1584.005 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Javascript - T1059.007 Keylogging - T1056.001 Keylogging - T1417.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Non-Standard Encoding - T1132.002 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Standard Encoding - T1132.001 Web Protocols - T1071.001 Tool - T1588.002 Standard Application Layer Protocol - T1071 Data Encoding - T1132 Obfuscated Files Or Information - T1027 Scheduled Task - T1053 Windows Management Instrumentation - T1047

Show in Graph

Common Information

Type	Value
UUID	2723675a-a24f-4e49-a789-734d2f5d488e
Fingerprint	8010fb0905f40683
Analysis status	DONE
Considered CTI value	2
Text language
Published	Sept. 26, 2023, 9:03 a.m.
Added to db	Oct. 22, 2023, 9:15 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities
Title	Analyzing Lu0Bot: A Node.js Malware with Vast Capabilities
Detected Hints/Tags/Attributes	85/2/34

Source URLs

	Redirection	Url
Details	Source	https://any.run/cybersecurity-blog/lu0bot-analysis/

URL Provider

Details	Provider	Source level domain
Details	any.run	any.run

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	14	✔	ANY.RUN's Cybersecurity Blog	https://any.run/cybersecurity-blog/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	911	any.run
Details	Domain	87	app.any.run
Details	Domain	1	hsh.juz09.cfd
Details	Domain	1	59c58bb5317016932210991180008a04a642894b53635018356690221232f.hsh.juz09.cfd
Details	Domain	1	59c58bb5317016932210991180108a04a642894b53635018356690221232f.hsh.juz09.cfd
Details	Domain	1	59c58bb5317016932210991180208a04a642894b53635018356690221232f.hsh.juz09.cfd
Details	Domain	1	59c58bb5317016932210991180209a04a642894b53635018356690221232f.hsh.juz09.cfd
Details	File	674	node.js
Details	File	1	fjlpexyjauf.exe
Details	File	1	eqnyiodbs.dat
Details	File	2	lknidtnqmg.dat
Details	File	1	gyvdcniwvlu.dat
Details	File	27	node.exe
Details	File	2126	cmd.exe
Details	File	1	'node.exe
Details	File	1	fb808be98b583a2004b0af7b6f4bf5e3419d8b6a385c5ce4e8fab4ddc0b48428.exe
Details	File	1	c:\users\admin\appdata\local\temp\ixp000.tmp
Details	md5	1	becfe83392d83ef8c743ea00711a25c8
Details	md5	1	6181206d06ce28c1bcdb887e547193fe
Details	sha1	1	8eb65b4895a90d343f23f9228e0d53af62de3dab
Details	sha256	1	fb808be98b583a2004b0af7b6f4bf5e3419d8b6a385c5ce4e8fab4ddc0b48428
Details	sha256	1	9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa
Details	sha256	1	7c37b8dd32365d41856692584f4c8e943610cda04c16fe06b47ed2d1e5c6415e
Details	MITRE ATT&CK Techniques	310	T1047
Details	MITRE ATT&CK Techniques	275	T1053.005
Details	MITRE ATT&CK Techniques	40	T1132.002
Details	MITRE ATT&CK Techniques	163	T1573
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	627	T1027
Details	Url	1	https://app.any.run/tasks/4696b947-92f0-4413-95dc-644c45ca99a6
Details	Url	1	https://app.any.run/tasks/c068028b-ce61-46a7-b12d-aef39a033bdd
Details	Url	1	https://app.any.run/tasks/4888f835-d2c3-4d89-9dc8-ac6cecf96409
Details	Url	1	https://app.any.run/tasks/e13d4388-8f32-4182-aff2-a85c89aeaa35
Details	Yara rule	1	rule Lu0Bot_detection { meta: description = "Detection of Lu0Bot" date = "2023-09-26" family = "Lu0Bot" strings: $start_code = /var \_0x[a-f0-9]{4,6}/ $altBase64 = "'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/='" $domain = "var acc=" $end_code = "}ini();" $func = "ginf" condition: all of them and #start_code >= 50 }