lucastealer | 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749

Analysis

max time kernel
300s
max time network
176s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-02-2023 22:26

Target

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
Size

5.7MB
MD5

deb9c6e9c058071ebf52521065a75018
SHA1

d3f54b15504de1a55d26a5753f1254c5c42fadec
SHA256

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749
SHA512

404d63f29db4b8edf4f5b73442e8e0c4dd58829b57bd2a75149d07acbd105cc9958429231f7f42dfb514824b62c7990d03913fbfd54d2e16273fd406e380be37
SSDEEP

49152:7Zg+YZ4PyxV4maKAUerq93kBis7q9mMts5lfarmNP78xMng+HEvLV+io6B5i5lSy:fFsaAnc6ZcIUk+r

Score

10^/10

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1988 4460 WerFault.exe 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
1988	4460	WerFault.exe	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
"C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4460 -s 1464
  2⤵
  - Program crash
  PID:1988

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
3.2MB

MD5
e21dcb6d4519a7434c35fa81f4b50ede

SHA1
fd5369fe1629f12fab4b4fb0dcad27605e15046d

SHA256
84c5b825a6370307e5a11f03647358c47d040e1e5688eab6508b0127ec777abe

SHA512
0dc9882ece9f9d3efd1b7c78c18fbf4afb55177be4dc2c5dc0344defec762a42d703bf4e1d582d94a85730e6f5253f950cfd75431867a45856872a55e2e2e4ff

Download Submit