lucastealer | f37134e9d3f61052ce126082a31aea1c7e0b3fca9f2373e79c3b4a9d884aef9b

General

Target

bded213b6ad8b501a9a8769498c06858.bin
Size

4.1MB
Sample

230308-b5k6psch5s
MD5

2cf0dd0e1c3fa35e9de8e02696987cb9
SHA1

ce8c4f6c9ea8c13d62c2a843dcf9cd0b4066866f
SHA256

f37134e9d3f61052ce126082a31aea1c7e0b3fca9f2373e79c3b4a9d884aef9b
SHA512

1fb9c4a0f2666c9d4dfe5fbe85e6741f13b5756156609f3ed81b00f19de85957d36d125361f447166b697263e7196f32a7692c419d67754c40f22c1e916ef99b
SSDEEP

98304:WrxRPxxfOiW8g8PpgTmgv02ZtUXsIJIyf:YfnfOT8FPWTmgv0hXfyw

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\RESTORE-MY-FILES.txt

Ransom Note

***SOLIDBIT RANSOMWARE*** All of your files are encrypted by SOLIDBIT ransomware and you cannot decrypt it without our help. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can recover all your files safely and easily with us. Contact Download Tor Browser - https://www.torproject.org/download/ and install it Open the link below in Tor Browser and follow instructions on this page http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion Decryption ID: 5-SJNASR2934QJ6MP6XH47DZDHWLI9k8

URLs

http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion

Extracted

Path

C:\Users\Admin\3D Objects\RESTORE-MY-FILES.txt

Ransom Note

***SOLIDBIT RANSOMWARE*** All of your files are encrypted by SOLIDBIT ransomware and you cannot decrypt it without our help. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN recover data - we offer you to decrypt samples. You can recover all your files safely and easily with us. Contact Download Tor Browser - https://www.torproject.org/download/ and install it Open the link below in Tor Browser and follow instructions on this page http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion Decryption ID: 5-LIZ6O2V36BS2J7E274A7UW6OEP1Ok8

URLs

http://solidb2jco63vbhx4sfimnqmwhtdjk4jbbgq7a24cmzzkfse4rduxgid.onion

Targets

- Target
  
  4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b.exe
- Size
  
  5.6MB
- MD5
  
  bded213b6ad8b501a9a8769498c06858
- SHA1
  
  3927ded7ffee7ab8f400d00bcb3b5479ffa3abfb
- SHA256
  
  4bc5ade40ab56113ce9709c0da15416628e089e838864a6756ceca90b8ffaf5b
- SHA512
  
  01fae25d7d0865ea0bd3b2f4d8f51d192a3ae9b7af5ab23ea55b34cadc3618ad66f53aec865776a50c98a7fb8076e71335d180ebf6e8ad02cf4a74799d780ee3
- SSDEEP
  
  98304:QxD6iw63xsDaup/EMGVxpE581oyzEY6JvRdZjYZPqXEla15YYO:QR6b6+HE25ZyzEX9jaqzv2
Score

10^/10

lucastealer persistence ransomware spyware stealer evasion
- Luca Stealer
  Info stealer written in Rust first seen in July 2022.
  stealer lucastealer
- Luca Stealer payload
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2