Resubmissions
06-01-2023 10:26
230106-mgngpsfg29 1001-12-2022 16:35
221201-t32psagb59 1025-11-2022 01:29
221125-bv9fjsfd2w 8Analysis
-
max time kernel
53s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 16:35
Behavioral task
behavioral1
Sample
3c1ed24caa50ce23e852d3cc618e6ace.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
3c1ed24caa50ce23e852d3cc618e6ace.exe
Resource
win10v2004-20221111-en
General
-
Target
3c1ed24caa50ce23e852d3cc618e6ace.exe
-
Size
17.6MB
-
MD5
3c1ed24caa50ce23e852d3cc618e6ace
-
SHA1
a387decc624a3e86b9b3db1cf1ed14063a34599b
-
SHA256
7946f262e17efca2bfcd10e6919b6c03cd4164895cdc40c44ce7827cc63f5e35
-
SHA512
f05e7c3088f3a82776fec0c933e080aacd885f7b86e8018f1d1873993ebca9a51f56033b68c381b41f196e6c03e9170ddcb3c245c690144e1aa9d085a4d5fd90
-
SSDEEP
98304:DMSVESq5LvCeXv0kFBoO3JnBdes+sWwRImg0cH2nP4o9p/wpDm7qCOPXwRalZLCt:ASSSMMkXnBb2mg0mwPBKDdDP0
Malware Config
Extracted
lucastealer
https://api.telegram.org/bot5740238611:AAESHdmffXlJNV7SD6-YjfXQmsg5jsSWb3Y
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Executes dropped EXE 1 IoCs
pid Process 1972 UIServices.exe -
Loads dropped DLL 3 IoCs
pid Process 668 cmd.exe 668 cmd.exe 1972 UIServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1808 wrote to memory of 668 1808 3c1ed24caa50ce23e852d3cc618e6ace.exe 27 PID 1808 wrote to memory of 668 1808 3c1ed24caa50ce23e852d3cc618e6ace.exe 27 PID 1808 wrote to memory of 668 1808 3c1ed24caa50ce23e852d3cc618e6ace.exe 27 PID 1808 wrote to memory of 668 1808 3c1ed24caa50ce23e852d3cc618e6ace.exe 27 PID 668 wrote to memory of 1972 668 cmd.exe 29 PID 668 wrote to memory of 1972 668 cmd.exe 29 PID 668 wrote to memory of 1972 668 cmd.exe 29 PID 668 wrote to memory of 1972 668 cmd.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c1ed24caa50ce23e852d3cc618e6ace.exe"C:\Users\Admin\AppData\Local\Temp\3c1ed24caa50ce23e852d3cc618e6ace.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\cmd.execmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UIServices.exe Start UIServices.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Users\Admin\AppData\Local\Temp\UIServices.exeC:\Users\Admin\AppData\Local\Temp\UIServices.exe Start UIServices.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.3MB
MD524d23afd8dbc9d8a6c062cea28fad926
SHA1203b3b29a85a0f8170d42b9f8ce766953aed5d9c
SHA256b81a331e58ff60255818c7596d4f724eed01b445bf41dfd389abece875a84b00
SHA5128dc659fd1ee3ec2aa698cdcf8f30ba2cca91688e04e6ae3fd8606d3a2c6d4a6166a066d3d889c269b4ede2bb626929c263930681c5a6677a1c9354e66106ad4c
-
Filesize
5.3MB
MD524d23afd8dbc9d8a6c062cea28fad926
SHA1203b3b29a85a0f8170d42b9f8ce766953aed5d9c
SHA256b81a331e58ff60255818c7596d4f724eed01b445bf41dfd389abece875a84b00
SHA5128dc659fd1ee3ec2aa698cdcf8f30ba2cca91688e04e6ae3fd8606d3a2c6d4a6166a066d3d889c269b4ede2bb626929c263930681c5a6677a1c9354e66106ad4c
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
5.3MB
MD524d23afd8dbc9d8a6c062cea28fad926
SHA1203b3b29a85a0f8170d42b9f8ce766953aed5d9c
SHA256b81a331e58ff60255818c7596d4f724eed01b445bf41dfd389abece875a84b00
SHA5128dc659fd1ee3ec2aa698cdcf8f30ba2cca91688e04e6ae3fd8606d3a2c6d4a6166a066d3d889c269b4ede2bb626929c263930681c5a6677a1c9354e66106ad4c
-
Filesize
5.3MB
MD524d23afd8dbc9d8a6c062cea28fad926
SHA1203b3b29a85a0f8170d42b9f8ce766953aed5d9c
SHA256b81a331e58ff60255818c7596d4f724eed01b445bf41dfd389abece875a84b00
SHA5128dc659fd1ee3ec2aa698cdcf8f30ba2cca91688e04e6ae3fd8606d3a2c6d4a6166a066d3d889c269b4ede2bb626929c263930681c5a6677a1c9354e66106ad4c
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8