lucastealer | 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749

Analysis

max time kernel
159s
max time network
174s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24-02-2023 22:25

Target

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
Size

5.7MB
MD5

deb9c6e9c058071ebf52521065a75018
SHA1

d3f54b15504de1a55d26a5753f1254c5c42fadec
SHA256

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749
SHA512

404d63f29db4b8edf4f5b73442e8e0c4dd58829b57bd2a75149d07acbd105cc9958429231f7f42dfb514824b62c7990d03913fbfd54d2e16273fd406e380be37
SSDEEP

49152:7Zg+YZ4PyxV4maKAUerq93kBis7q9mMts5lfarmNP78xMng+HEvLV+io6B5i5lSy:fFsaAnc6ZcIUk+r

Score

10^/10

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2856 3588 WerFault.exe 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
2856	3588	WerFault.exe	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
"C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3588 -s 1464
  2⤵
  - Program crash
  PID:2856

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
1.7MB

MD5
8be52bac64f7adb17a163f6ebfc1f385

SHA1
504762198871bcd2f09c3b82e2063d116c690866

SHA256
a473a303e632c6aa89b72fb3f703c40f66ddfc1cdce888068753ceca41fe21bf

SHA512
30e4a07e3e1e72d3f8d55efe5fb7e9caba057227be9fd8daac5c33525207f9a2d3d4e1df140c661906bedd091534fd4d5ae1350889df656dad0f25483c09e9cd

Download Submit