lucastealer | 8acf346f8e6cc412c42bcf827a01fc8b22ce643aa8088f025e2320c43c145f28

Analysis

max time kernel
30s
max time network
78s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 16:56

Target

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
Size

3.6MB
MD5

6ea2e54163f59cc8a7b73e38cce87071
SHA1

6a92ebd7713ce02161da0fced34581c0d3921ab4
SHA256

e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda
SHA512

639482bdd1b21f3b1ea42dd6d53e5552af1d5a4bd94e5b110e4cb0b5fcab8675b04ed1ed00dac4f6a0f4295e2396cd3976031c6adb4d9b5e075d5bae253d0846
SSDEEP

49152:NTOx9LzpCkE4m85goOiG73wv6R8fKHIOC5ATFru2+Jm+4s2AfBJk/xoIHZqgKMHg:dFGAjpo12bZKMuk

Score

10^/10

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1440	884	WerFault.exe	25

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	28
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	28
PID 884 wrote to memory of 1440	884	e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe	28

C:\Users\Admin\AppData\Local\Temp\e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe
"C:\Users\Admin\AppData\Local\Temp\e7e1825173152caddc73e659c39b956f666f4348e7163be34fc9b3eb14ffdbda.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 884 -s 1032
  2⤵
  - Program crash
  PID:1440

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\sensfiles.zip

Filesize
417KB

MD5
074adefae30ee2acb4ec7556828e76f9

SHA1
c7e123a48155cc14a9984e8c3373dd7830dfdfd6

SHA256
8860142ebe53a3fe753b856513f9957922ee480af59d8fef37a1f89c2caad5ac

SHA512
5b11599616a1bc2136b45c4c5284d359a12a363bb0a9caa9f3a89a1ddb8043d4e24e169d965340731af31a729bb0b869b325ba1ab9bfca71cd4b8f5f89e80010

Download Submit