lucastealer | 91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979

Analysis

max time kernel
91s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remcos 3.8.0 Proffesional.exe
Size

5.9MB
MD5

1ce4214544f0a7043eefbe8e5bd40f8b
SHA1

0cf65c2da5bac5f5f41fc4e7409df2dd6b5ed15e
SHA256

91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979
SHA512

76db21245ef94d48f7cf54cca6132251ecdc1c11775c9b369ea76b6a5eae6ccfd1bc2779c0368b189b71199535a08ba3cd12f18e5a16ae5b99e2ad55898ffc1b
SSDEEP

98304:fBBph+6IxhSsqa2AsIaZsX6/ejeyp3AJeQMc5evmqclrz6T:fBBpYXcsqay1s1eyWp15IV

Score

10^/10

lucastealer netwire warzonerat botnet infostealer persistence rat stealer

Malware Config

Extracted

Family

netwire

127.0.0.1:3360

ast3rhost.ddns.net:57441

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Updates64\Updater64.exe
keylogger_dir
Windows Systems Update.lnk
lock_executable
false
mutex
OMuLlWeg
offline_keylogger
false
password
Aster21
registry_autorun
false
use_mutex
false

Extracted

Family

warzonerat

ast3rhost.ddns.net:55557

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022e32-140.dat	family_lucastealer
behavioral2/files/0x0006000000022e32-141.dat	family_lucastealer

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0007000000022e2e-135.dat	netwire
behavioral2/files/0x0007000000022e2e-134.dat	netwire
behavioral2/files/0x0006000000022e31-143.dat	netwire
behavioral2/files/0x0006000000022e31-144.dat	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022e2f-137.dat	warzonerat
behavioral2/files/0x0006000000022e2f-138.dat	warzonerat
behavioral2/files/0x0006000000022e3b-162.dat	warzonerat
behavioral2/files/0x0006000000022e3b-163.dat	warzonerat

Executes dropped EXE 5 IoCs

Processes:

remcos panel.exeRemcos Pro.exepanel.exeUpdater64.exeUpdater.exe

pid	Process
5004	remcos panel.exe
3472	Remcos Pro.exe
2740	panel.exe
4840	Updater64.exe
3920	Updater.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Remcos 3.8.0 Proffesional.exeremcos panel.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Remcos 3.8.0 Proffesional.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	remcos panel.exe

Drops startup file 3 IoCs

Processes:

Updater64.exeRemcos Pro.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Systems Update.lnk	Updater64.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	Remcos Pro.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	Remcos Pro.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Updater64.exeRemcos Pro.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	Updater64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EÖ®§‰Ý’ÌñÐv•›£ = "C:\\Users\\Admin\\AppData\\Roaming\\Updates64\\Updater64.exe"	Updater64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\Documents\\Updater.exe"	Remcos Pro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

Processes:

Remcos Pro.exe

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	Remcos Pro.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	Process
5084	powershell.exe
5084	powershell.exe
540	powershell.exe
540	powershell.exe
1464	powershell.exe
1464	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Remcos 3.8.0 Proffesional.exeremcos panel.exeRemcos Pro.exeUpdater.exe

description	pid	Process	procid_target
PID 976 wrote to memory of 5084	976	Remcos 3.8.0 Proffesional.exe	83
PID 976 wrote to memory of 5084	976	Remcos 3.8.0 Proffesional.exe	83
PID 976 wrote to memory of 5084	976	Remcos 3.8.0 Proffesional.exe	83
PID 976 wrote to memory of 5004	976	Remcos 3.8.0 Proffesional.exe	85
PID 976 wrote to memory of 5004	976	Remcos 3.8.0 Proffesional.exe	85
PID 976 wrote to memory of 5004	976	Remcos 3.8.0 Proffesional.exe	85
PID 976 wrote to memory of 3472	976	Remcos 3.8.0 Proffesional.exe	86
PID 976 wrote to memory of 3472	976	Remcos 3.8.0 Proffesional.exe	86
PID 976 wrote to memory of 3472	976	Remcos 3.8.0 Proffesional.exe	86
PID 976 wrote to memory of 2740	976	Remcos 3.8.0 Proffesional.exe	87
PID 976 wrote to memory of 2740	976	Remcos 3.8.0 Proffesional.exe	87
PID 5004 wrote to memory of 4840	5004	remcos panel.exe	88
PID 5004 wrote to memory of 4840	5004	remcos panel.exe	88
PID 5004 wrote to memory of 4840	5004	remcos panel.exe	88
PID 3472 wrote to memory of 540	3472	Remcos Pro.exe	89
PID 3472 wrote to memory of 540	3472	Remcos Pro.exe	89
PID 3472 wrote to memory of 540	3472	Remcos Pro.exe	89
PID 3472 wrote to memory of 3920	3472	Remcos Pro.exe	91
PID 3472 wrote to memory of 3920	3472	Remcos Pro.exe	91
PID 3472 wrote to memory of 3920	3472	Remcos Pro.exe	91
PID 3920 wrote to memory of 1464	3920	Updater.exe	95
PID 3920 wrote to memory of 1464	3920	Updater.exe	95
PID 3920 wrote to memory of 1464	3920	Updater.exe	95
PID 3920 wrote to memory of 2252	3920	Updater.exe	98
PID 3920 wrote to memory of 2252	3920	Updater.exe	98
PID 3920 wrote to memory of 2252	3920	Updater.exe	98
PID 3920 wrote to memory of 2252	3920	Updater.exe	98
PID 3920 wrote to memory of 2252	3920	Updater.exe	98

C:\Users\Admin\AppData\Local\Temp\Remcos 3.8.0 Proffesional.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos 3.8.0 Proffesional.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGkAcABzACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATABvAGEAZABpAG4AZwAgAFIAZQBtAGMAbwBzACAAUAByAG8AZgBmAGUAcwBpAG8AbgBhAGwAIAAzAC4AOAAuADAALAAgAHAAbABlAGEAcwBlACAAdwBhAGkAdAAuAC4ALgAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAcQBjAHcAIwA+AA=="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\remcos panel.exe
  "C:\Users\Admin\AppData\Local\Temp\remcos panel.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Roaming\Updates64\Updater64.exe
    "C:\Users\Admin\AppData\Roaming\Updates64\Updater64.exe" -m "C:\Users\Admin\AppData\Local\Temp\remcos panel.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    PID:4840
- C:\Users\Admin\AppData\Local\Temp\Remcos Pro.exe
  "C:\Users\Admin\AppData\Local\Temp\Remcos Pro.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Users\Admin\Documents\Updater.exe
    "C:\Users\Admin\Documents\Updater.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      PID:2252
- C:\Users\Admin\AppData\Local\Temp\panel.exe
  "C:\Users\Admin\AppData\Local\Temp\panel.exe"
  2⤵
  - Executes dropped EXE
  PID:2740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4cc9e7069534f7bcbb90ad7cac69ed78

SHA1
a3522b9edd4a7d28ad0ac0e1b659a82b6dc10892

SHA256
4814be12fd2320cd9249d3b2611ea1421cb88823097fcbf0ca697e6e9ac93c9c

SHA512
e408e0abb3b7166578c075d10f1378d6a6b39dc386361a4df23abc026e9a634bfb16c01daf9b8fcbe8555e335d93c8c9d8442a11c187df616f2d6cdd3ab53653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30cdc5647fb289407752ffa435c7eb42

SHA1
07e50f38295d34e7073a7b41e3b0070020817453

SHA256
8405c880f229b1e20bc17aa3005af710403bf67cd30cda3f7c82874cb0140b83

SHA512
dace1618194187346feaa50dff47ee90aabf2195dc9e8474d16958aa0386fda6daed8107ff4ff4e7589689b91c9b598a24e0dfc7f69c55e1a20bb5e0aa674466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30cdc5647fb289407752ffa435c7eb42

SHA1
07e50f38295d34e7073a7b41e3b0070020817453

SHA256
8405c880f229b1e20bc17aa3005af710403bf67cd30cda3f7c82874cb0140b83

SHA512
dace1618194187346feaa50dff47ee90aabf2195dc9e8474d16958aa0386fda6daed8107ff4ff4e7589689b91c9b598a24e0dfc7f69c55e1a20bb5e0aa674466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Pro.exe

Filesize
132KB

MD5
6de956bf4b2bd3c673f7680c02265fb8

SHA1
293af6687da1faa6933dde2d1e42af0b84b128b5

SHA256
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b

SHA512
f15b954c73430b3d037d29cb6e09c2a37ca6c4d5e9e7d90def97dbca7cf791651aa1e7dfde2dd86a40aea8b0e9c1bf7005b7804aa690b764ce38eeb7f1497576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remcos Pro.exe

Filesize
132KB

MD5
6de956bf4b2bd3c673f7680c02265fb8

SHA1
293af6687da1faa6933dde2d1e42af0b84b128b5

SHA256
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b

SHA512
f15b954c73430b3d037d29cb6e09c2a37ca6c4d5e9e7d90def97dbca7cf791651aa1e7dfde2dd86a40aea8b0e9c1bf7005b7804aa690b764ce38eeb7f1497576

Download Submit
C:\Users\Admin\AppData\Local\Temp\panel.exe

Filesize
5.4MB

MD5
ffa5f98bd83e85672b8f6b9234cdcbe0

SHA1
9a0ea22cfced5504707040defe0964a0bea18988

SHA256
23a10f85a88086e16753a7749f7dc4ddca2ad886455b371819bf030624e3aacb

SHA512
5fa1371d857b4de0c7e26ffa03175764ffb5fd13cf95bf0ad313714987c01670ea337eb7005bc6eca00e938ba967389d75920c6a6b1e50e641d079014f00656f

Download Submit
C:\Users\Admin\AppData\Local\Temp\panel.exe

Filesize
5.4MB

MD5
ffa5f98bd83e85672b8f6b9234cdcbe0

SHA1
9a0ea22cfced5504707040defe0964a0bea18988

SHA256
23a10f85a88086e16753a7749f7dc4ddca2ad886455b371819bf030624e3aacb

SHA512
5fa1371d857b4de0c7e26ffa03175764ffb5fd13cf95bf0ad313714987c01670ea337eb7005bc6eca00e938ba967389d75920c6a6b1e50e641d079014f00656f

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos panel.exe

Filesize
273KB

MD5
d4e2aa4f0096b92a01c08c560b2c45d8

SHA1
e8b57d69ef8ddc99fc3912ead61a9c1cd647c46e

SHA256
8970349251f2b74bcd42987611b34ffa62bc767569d750084474bf49c2894f72

SHA512
c327de6b53447213daefbfc1eabf92eca664b1623ee8db24c8a0b3a5d0f24580bbfa2ae949afeedc90d36dd93ad65c4dae3cf54b599ee376d7112cd039378516

Download Submit
C:\Users\Admin\AppData\Local\Temp\remcos panel.exe

Filesize
273KB

MD5
d4e2aa4f0096b92a01c08c560b2c45d8

SHA1
e8b57d69ef8ddc99fc3912ead61a9c1cd647c46e

SHA256
8970349251f2b74bcd42987611b34ffa62bc767569d750084474bf49c2894f72

SHA512
c327de6b53447213daefbfc1eabf92eca664b1623ee8db24c8a0b3a5d0f24580bbfa2ae949afeedc90d36dd93ad65c4dae3cf54b599ee376d7112cd039378516

Download Submit
C:\Users\Admin\AppData\Roaming\Updates64\Updater64.exe

Filesize
273KB

MD5
d4e2aa4f0096b92a01c08c560b2c45d8

SHA1
e8b57d69ef8ddc99fc3912ead61a9c1cd647c46e

SHA256
8970349251f2b74bcd42987611b34ffa62bc767569d750084474bf49c2894f72

SHA512
c327de6b53447213daefbfc1eabf92eca664b1623ee8db24c8a0b3a5d0f24580bbfa2ae949afeedc90d36dd93ad65c4dae3cf54b599ee376d7112cd039378516

Download Submit
C:\Users\Admin\AppData\Roaming\Updates64\Updater64.exe

Filesize
273KB

MD5
d4e2aa4f0096b92a01c08c560b2c45d8

SHA1
e8b57d69ef8ddc99fc3912ead61a9c1cd647c46e

SHA256
8970349251f2b74bcd42987611b34ffa62bc767569d750084474bf49c2894f72

SHA512
c327de6b53447213daefbfc1eabf92eca664b1623ee8db24c8a0b3a5d0f24580bbfa2ae949afeedc90d36dd93ad65c4dae3cf54b599ee376d7112cd039378516

Download Submit
C:\Users\Admin\Documents\Updater.exe

Filesize
132KB

MD5
6de956bf4b2bd3c673f7680c02265fb8

SHA1
293af6687da1faa6933dde2d1e42af0b84b128b5

SHA256
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b

SHA512
f15b954c73430b3d037d29cb6e09c2a37ca6c4d5e9e7d90def97dbca7cf791651aa1e7dfde2dd86a40aea8b0e9c1bf7005b7804aa690b764ce38eeb7f1497576

Download Submit
C:\Users\Admin\Documents\Updater.exe

Filesize
132KB

MD5
6de956bf4b2bd3c673f7680c02265fb8

SHA1
293af6687da1faa6933dde2d1e42af0b84b128b5

SHA256
bf64c1524a374361c824cb3054b1c5179922b089872ad817c4666f700332084b

SHA512
f15b954c73430b3d037d29cb6e09c2a37ca6c4d5e9e7d90def97dbca7cf791651aa1e7dfde2dd86a40aea8b0e9c1bf7005b7804aa690b764ce38eeb7f1497576

Download Submit
memory/540-153-0x0000000007800000-0x0000000007832000-memory.dmp

Filesize
200KB

Download
memory/540-155-0x00000000740B0000-0x00000000740FC000-memory.dmp

Filesize
304KB

Download
memory/540-160-0x0000000007BD0000-0x0000000007C66000-memory.dmp

Filesize
600KB

Download
memory/540-157-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/540-156-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/540-150-0x0000000000000000-mapping.dmp

Download
memory/540-166-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/540-165-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/540-164-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/1464-171-0x00000000736F0000-0x000000007373C000-memory.dmp

Filesize
304KB

Download
memory/1464-169-0x0000000000000000-mapping.dmp

Download
memory/2252-172-0x0000000000000000-mapping.dmp

Download
memory/2252-173-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2740-139-0x0000000000000000-mapping.dmp

Download
memory/3472-136-0x0000000000000000-mapping.dmp

Download
memory/3920-161-0x0000000000000000-mapping.dmp

Download
memory/4840-142-0x0000000000000000-mapping.dmp

Download
memory/5004-133-0x0000000000000000-mapping.dmp

Download
memory/5084-159-0x0000000007A80000-0x0000000007B12000-memory.dmp

Filesize
584KB

Download
memory/5084-158-0x0000000008B50000-0x00000000090F4000-memory.dmp

Filesize
5.6MB

Download
memory/5084-154-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/5084-152-0x0000000007F20000-0x000000000859A000-memory.dmp

Filesize
6.5MB

Download
memory/5084-151-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/5084-149-0x00000000062B0000-0x0000000006316000-memory.dmp

Filesize
408KB

Download
memory/5084-148-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/5084-147-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/5084-146-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/5084-145-0x00000000052C0000-0x00000000052F6000-memory.dmp

Filesize
216KB

Download
memory/5084-132-0x0000000000000000-mapping.dmp

Download