lucastealer | 8acf346f8e6cc412c42bcf827a01fc8b22ce643aa8088f025e2320c43c145f28

Analysis

max time kernel
30s
max time network
78s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
Size

3.6MB
MD5

6ea2e54163f59cc8a7b73e38cce87071
SHA1

6a92ebd7713ce02161da0fced34581c0d3921ab4
SHA256

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda
SHA512

639482bdd1b21f3b1ea42dd6d53e5552af1d5a4bd94e5b110e4cb0b5fcab8675b04ed1ed00dac4f6a0f4295e2396cd3976031c6adb4d9b5e075d5bae253d0846
SSDEEP

49152:NTOx9LzpCkE4m85goOiG73wv6R8fKHIOC5ATFru2+Jm+4s2AfBJk/xoIHZqgKMHg:dFGAjpo12bZKMuk

Score

10^/10

lucastealer spyware stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1440 884 WerFault.exe e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
1440	884	WerFault.exe	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

pid	process
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

description pid process

Token: SeShutdownPrivilege 884 e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

description	pid	process
Token: SeShutdownPrivilege	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

description	pid	process	target process
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	WerFault.exe
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	WerFault.exe
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
"C:\Users\Admin\AppData\Local\Temp\e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 884 -s 1032
  2⤵
  - Program crash
  PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\sensfiles.zip

Filesize
417KB

MD5
074adefae30ee2acb4ec7556828e76f9

SHA1
c7e123a48155cc14a9984e8c3373dd7830dfdfd6

SHA256
8860142ebe53a3fe753b856513f9957922ee480af59d8fef37a1f89c2caad5ac

SHA512
5b11599616a1bc2136b45c4c5284d359a12a363bb0a9caa9f3a89a1ddb8043d4e24e169d965340731af31a729bb0b869b325ba1ab9bfca71cd4b8f5f89e80010

Download Submit