lucastealer | 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749

Analysis

max time kernel
55s
max time network
181s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
26-02-2023 04:56

Target

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
Size

5.7MB
MD5

deb9c6e9c058071ebf52521065a75018
SHA1

d3f54b15504de1a55d26a5753f1254c5c42fadec
SHA256

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749
SHA512

404d63f29db4b8edf4f5b73442e8e0c4dd58829b57bd2a75149d07acbd105cc9958429231f7f42dfb514824b62c7990d03913fbfd54d2e16273fd406e380be37
SSDEEP

49152:7Zg+YZ4PyxV4maKAUerq93kBis7q9mMts5lfarmNP78xMng+HEvLV+io6B5i5lSy:fFsaAnc6ZcIUk+r

Score

10^/10

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3060 3044 WerFault.exe 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
3060	3044	WerFault.exe	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
"C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3044 -s 1452
  2⤵
  - Program crash
  PID:3060

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
8.3MB

MD5
955c5ec3f0e5c2a9316ce81a504fabd5

SHA1
e1093f35d084f6cb47d601714fca9a383edb7769

SHA256
471ee79e5284cc13cab5a8aaa4d3b7882c1fd8c3d76cf4fa352d283828cd1eb3

SHA512
907c0dcfa34d512d2cb01cad36d3bff0ddd2ac310adb085cac7f9883b6ac2b7f9c9015c2fe2306b01d7b5ee2cc12dee17b654d4b23a64cd8f39e44fe2c67985c

Download Submit