lucastealer | 319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749

Analysis

max time kernel
29s
max time network
54s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 04:58

Target

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
Size

5.7MB
MD5

deb9c6e9c058071ebf52521065a75018
SHA1

d3f54b15504de1a55d26a5753f1254c5c42fadec
SHA256

319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749
SHA512

404d63f29db4b8edf4f5b73442e8e0c4dd58829b57bd2a75149d07acbd105cc9958429231f7f42dfb514824b62c7990d03913fbfd54d2e16273fd406e380be37
SSDEEP

49152:7Zg+YZ4PyxV4maKAUerq93kBis7q9mMts5lfarmNP78xMng+HEvLV+io6B5i5lSy:fFsaAnc6ZcIUk+r

Score

10^/10

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1688	1108	WerFault.exe	26

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1108	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1688	1108	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe	29
PID 1108 wrote to memory of 1688	1108	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe	29
PID 1108 wrote to memory of 1688	1108	319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe	29

C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe
"C:\Users\Admin\AppData\Local\Temp\319157bf510e966d20d5129f1966ece7cb18c2d3d781a31a95f0af3be5926749.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1108 -s 1108
  2⤵
  - Program crash
  PID:1688

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\logscx\sensfiles.zip

Filesize
412KB

MD5
f0d4973b6b92279998c5447709c687bc

SHA1
dd80c8a381f9e37604e897b365d98a86dc68baa3

SHA256
ac1d5bcd4a5703049ae9cf63353b8889e217b29c73ff791cce39f05a44be91c9

SHA512
2475e806ea2bb1b9b41a5ab4a599179d7e956ee8fbe7a78ddaaad17bc22976a174a1553a114ad5401533140e3891057f797512c33821f61b0385b606b1c8b9f4

Download Submit