lucastealer | ba06284f5208e6e05a4568fa4bffb05661d73a8e0be9a7dca5bed98244bcc097

Resubmissions

19-01-2023 16:50

230119-vcchmsde7t 10

23-11-2022 13:12

221123-qfhfvadh33 8

Analysis

max time kernel
50s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62d916dabdf433ec7d4b0b90d681591d.exe
Size

18.3MB
MD5

62d916dabdf433ec7d4b0b90d681591d
SHA1

3f833c77fe193cf15741d88a62febc23bce63f09
SHA256

ba06284f5208e6e05a4568fa4bffb05661d73a8e0be9a7dca5bed98244bcc097
SHA512

e91119edf7b168fc9e4f41f06562ca4d6d75941eb9eeafd20d4452dccbf7c23db8563433d8b417c143603a90e16335dcd33325dfb10e8a541e0ba26ab41e0dad
SSDEEP

98304:tMSVESq5NpATf0g1QIk8y2EG9DcFk4GX6jnX+ITWFRImg0cHqwh4C4t/wpDm7qCd:aSSSpQIksDu9Zb7mg0mjh3jDdDP0

Score

10^/10

lucastealer stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot5740238611:AAESHdmffXlJNV7SD6-YjfXQmsg5jsSWb3Y

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Executes dropped EXE 1 IoCs

Processes:

UIServices.exe

pid process

1692 UIServices.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exeUIServices.exe

pid process

1736 cmd.exe
1736 cmd.exe
1692 UIServices.exe

pid	process
1692	UIServices.exe

pid	process
1736	cmd.exe
1736	cmd.exe
1692	UIServices.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

62d916dabdf433ec7d4b0b90d681591d.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 1736	1708	62d916dabdf433ec7d4b0b90d681591d.exe	cmd.exe
PID 1708 wrote to memory of 1736	1708	62d916dabdf433ec7d4b0b90d681591d.exe	cmd.exe
PID 1708 wrote to memory of 1736	1708	62d916dabdf433ec7d4b0b90d681591d.exe	cmd.exe
PID 1708 wrote to memory of 1736	1708	62d916dabdf433ec7d4b0b90d681591d.exe	cmd.exe
PID 1736 wrote to memory of 1692	1736	cmd.exe	UIServices.exe
PID 1736 wrote to memory of 1692	1736	cmd.exe	UIServices.exe
PID 1736 wrote to memory of 1692	1736	cmd.exe	UIServices.exe
PID 1736 wrote to memory of 1692	1736	cmd.exe	UIServices.exe

C:\Users\Admin\AppData\Local\Temp\62d916dabdf433ec7d4b0b90d681591d.exe
"C:\Users\Admin\AppData\Local\Temp\62d916dabdf433ec7d4b0b90d681591d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UIServices.exe Start UIServices.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\UIServices.exe
    C:\Users\Admin\AppData\Local\Temp\UIServices.exe Start UIServices.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UIServices.exe

Filesize
6.0MB

MD5
03e3758f3e8f9b41c4482418dfc7f949

SHA1
a9567f232d2a7511015af599b9703d34afcb5c8a

SHA256
9c2cb8a7798c29f281cd0e03488aec0387bbceceff300f6ca8366612405d55e4

SHA512
31e4a96689cf1e910df06f54cc676ab02600f61c30c4ce46c94d722646bf672c62fa4d41e39602ede25e74aaf73a148e66f9a42b90d60f06ba6ce2439f4d7eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIServices.exe

Filesize
6.0MB

MD5
03e3758f3e8f9b41c4482418dfc7f949

SHA1
a9567f232d2a7511015af599b9703d34afcb5c8a

SHA256
9c2cb8a7798c29f281cd0e03488aec0387bbceceff300f6ca8366612405d55e4

SHA512
31e4a96689cf1e910df06f54cc676ab02600f61c30c4ce46c94d722646bf672c62fa4d41e39602ede25e74aaf73a148e66f9a42b90d60f06ba6ce2439f4d7eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRUNTIME140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
\Users\Admin\AppData\Local\Temp\UIServices.exe

Filesize
6.0MB

MD5
03e3758f3e8f9b41c4482418dfc7f949

SHA1
a9567f232d2a7511015af599b9703d34afcb5c8a

SHA256
9c2cb8a7798c29f281cd0e03488aec0387bbceceff300f6ca8366612405d55e4

SHA512
31e4a96689cf1e910df06f54cc676ab02600f61c30c4ce46c94d722646bf672c62fa4d41e39602ede25e74aaf73a148e66f9a42b90d60f06ba6ce2439f4d7eae

Download Submit
\Users\Admin\AppData\Local\Temp\UIServices.exe

Filesize
6.0MB

MD5
03e3758f3e8f9b41c4482418dfc7f949

SHA1
a9567f232d2a7511015af599b9703d34afcb5c8a

SHA256
9c2cb8a7798c29f281cd0e03488aec0387bbceceff300f6ca8366612405d55e4

SHA512
31e4a96689cf1e910df06f54cc676ab02600f61c30c4ce46c94d722646bf672c62fa4d41e39602ede25e74aaf73a148e66f9a42b90d60f06ba6ce2439f4d7eae

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
memory/1692-59-0x0000000000000000-mapping.dmp

Download
memory/1708-54-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1736-55-0x0000000000000000-mapping.dmp

Download