Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
10-01-2023 00:09
General
-
Target
rswin.exe
-
Size
5.6MB
-
MD5
59ff6641dea3e3d3e2e6abd3e1ccb357
-
SHA1
533f88a140383aaaf735b62d550b02bb2705db42
-
SHA256
303bc7a7372b58fcf86cec6e3f64c68ae8d0d4005ba456f1a3d083ad554fe6ef
-
SHA512
58b10df383b6ecf8dfcd8e5e23b82b88e61af34ae2b2eb6607423858ad43ef5c8f82c7c882ca63b10fd60f62b85dc18a213857598bbf7bf82c71528a4eb8591b
-
SSDEEP
49152:ucLMXimdb4cv+oUX63PWbo1OI83xGXgn5KnK8ICuasCDZ+X6vR7e73UK56xmDpfY:PEiKisj8EjIhW8Yp4oTjZ+
Score
10/10
Malware Config
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rswin.exe"C:\Users\Admin\AppData\Local\Temp\rswin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 636 -s 16162⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 424 -p 636 -ip 6361⤵