lucastealer | d363a849b1c4a3644b9dcfb3d03f96eb8bf3f6b05a8286f0911396c2b4642432

General

Target

018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe
Size

4.2MB
MD5

7bf21e9170fda8ffa3c22c892ecef29a
SHA1

ffbc2327df43ff7868ff2eeeeebbdb721bd522d1
SHA256

018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691
SHA512

763db449afe12f277952a3fc4dbcb18bae0bc34ad64f6155663be7553f3428d5b04b268b2ed1985b7ac7e15d80ee3646e783ada29f451801ac854674efd09396
SSDEEP

98304:Jm3Nfl9RXKKcB6fu4R1I/1C6KxLKwqcOIb6Csebp82yY837nB:Y3NflLXVcB6fu4R1uCFxKOPba2ylrB

Score

10^/10

lucastealer stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00080000000139db-62.dat	family_lucastealer
behavioral1/files/0x00080000000139db-63.dat	family_lucastealer
behavioral1/files/0x00080000000139db-65.dat	family_lucastealer

Executes dropped EXE 2 IoCs

Processes:

Stealer.sfx.exeStealer.exe

pid	Process
948	Stealer.sfx.exe
816	Stealer.exe

Loads dropped DLL 5 IoCs

Processes:

018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exeStealer.sfx.exe

pid	Process
1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe
1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe
1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe
948	Stealer.sfx.exe
948	Stealer.sfx.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Stealer.exe

pid	Process
816	Stealer.exe
816	Stealer.exe
816	Stealer.exe
816	Stealer.exe
816	Stealer.exe
816	Stealer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Stealer.exe

description	pid	Process
Token: SeShutdownPrivilege	816	Stealer.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exeStealer.sfx.exe

description	pid	Process	procid_target
PID 1956 wrote to memory of 948	1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe	27
PID 1956 wrote to memory of 948	1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe	27
PID 1956 wrote to memory of 948	1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe	27
PID 1956 wrote to memory of 948	1956	018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe	27
PID 948 wrote to memory of 816	948	Stealer.sfx.exe	28
PID 948 wrote to memory of 816	948	Stealer.sfx.exe	28
PID 948 wrote to memory of 816	948	Stealer.sfx.exe	28
PID 948 wrote to memory of 816	948	Stealer.sfx.exe	28

C:\Users\Admin\AppData\Local\Temp\018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe
"C:\Users\Admin\AppData\Local\Temp\018f1b987d7d79a024055b9ad168a866856a4b1d5c9f14809375cade8c9fc691.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\File\Stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\File\Stealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe

Filesize
4.1MB

MD5
bb93f1a03d3d32add7d73c44c289f8d7

SHA1
627ee222a1faf0be481ae6c1217d99d492868c89

SHA256
7f56c8d8f721fcf8875459d4a7282b0607c97ae00458c76c1b0ee6766812eeae

SHA512
7bee165bd325b08e49ecdfd7dc1fcd8adc33ca5058874dfb833ad7c40196048d026f8a9694b7f19c3e3007f224396d9e8c34b27c08dc72c5d42aa2b4cd69e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe

Filesize
4.1MB

MD5
bb93f1a03d3d32add7d73c44c289f8d7

SHA1
627ee222a1faf0be481ae6c1217d99d492868c89

SHA256
7f56c8d8f721fcf8875459d4a7282b0607c97ae00458c76c1b0ee6766812eeae

SHA512
7bee165bd325b08e49ecdfd7dc1fcd8adc33ca5058874dfb833ad7c40196048d026f8a9694b7f19c3e3007f224396d9e8c34b27c08dc72c5d42aa2b4cd69e2c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\File\Stealer.exe

Filesize
4.2MB

MD5
4d5bac8fab6ecb15ab34d42adbd0cd15

SHA1
a7f50d486fe065abe0ce50d5dc51d9930d238f2d

SHA256
bf5d5d1e5180d8dacb9cd543015a0304248c19d1b017ce00244aa83d0dcfa352

SHA512
4cb9af4abd9948325d1622b76f2fb16c7366f8a96dcd4760d28ef67c53919407de14e12df5e098d4fe467c4bb85cebfb1b5e845cf5a585e635cd11972ad989f5

Download Submit
\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe

Filesize
4.1MB

MD5
bb93f1a03d3d32add7d73c44c289f8d7

SHA1
627ee222a1faf0be481ae6c1217d99d492868c89

SHA256
7f56c8d8f721fcf8875459d4a7282b0607c97ae00458c76c1b0ee6766812eeae

SHA512
7bee165bd325b08e49ecdfd7dc1fcd8adc33ca5058874dfb833ad7c40196048d026f8a9694b7f19c3e3007f224396d9e8c34b27c08dc72c5d42aa2b4cd69e2c6

Download Submit
\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe

Filesize
4.1MB

MD5
bb93f1a03d3d32add7d73c44c289f8d7

SHA1
627ee222a1faf0be481ae6c1217d99d492868c89

SHA256
7f56c8d8f721fcf8875459d4a7282b0607c97ae00458c76c1b0ee6766812eeae

SHA512
7bee165bd325b08e49ecdfd7dc1fcd8adc33ca5058874dfb833ad7c40196048d026f8a9694b7f19c3e3007f224396d9e8c34b27c08dc72c5d42aa2b4cd69e2c6

Download Submit
\Users\Admin\AppData\Local\Temp\Driver\Stealer.sfx.exe

Filesize
4.1MB

MD5
bb93f1a03d3d32add7d73c44c289f8d7

SHA1
627ee222a1faf0be481ae6c1217d99d492868c89

SHA256
7f56c8d8f721fcf8875459d4a7282b0607c97ae00458c76c1b0ee6766812eeae

SHA512
7bee165bd325b08e49ecdfd7dc1fcd8adc33ca5058874dfb833ad7c40196048d026f8a9694b7f19c3e3007f224396d9e8c34b27c08dc72c5d42aa2b4cd69e2c6

Download Submit
\Users\Admin\AppData\Local\Temp\File\Stealer.exe

Filesize
4.2MB

MD5
4d5bac8fab6ecb15ab34d42adbd0cd15

SHA1
a7f50d486fe065abe0ce50d5dc51d9930d238f2d

SHA256
bf5d5d1e5180d8dacb9cd543015a0304248c19d1b017ce00244aa83d0dcfa352

SHA512
4cb9af4abd9948325d1622b76f2fb16c7366f8a96dcd4760d28ef67c53919407de14e12df5e098d4fe467c4bb85cebfb1b5e845cf5a585e635cd11972ad989f5

Download Submit
\Users\Admin\AppData\Local\Temp\File\Stealer.exe

Filesize
4.2MB

MD5
4d5bac8fab6ecb15ab34d42adbd0cd15

SHA1
a7f50d486fe065abe0ce50d5dc51d9930d238f2d

SHA256
bf5d5d1e5180d8dacb9cd543015a0304248c19d1b017ce00244aa83d0dcfa352

SHA512
4cb9af4abd9948325d1622b76f2fb16c7366f8a96dcd4760d28ef67c53919407de14e12df5e098d4fe467c4bb85cebfb1b5e845cf5a585e635cd11972ad989f5

Download Submit
memory/816-64-0x0000000000000000-mapping.dmp

Download
memory/948-58-0x0000000000000000-mapping.dmp

Download
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads