lucastealer | ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

Analysis

max time kernel
300s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2023 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ACNBZD.exe
Size

5.9MB
MD5

021079dc0918b9c7359e93e770678000
SHA1

70c03da6f7b339340b1943f5d0b7b1fd87579adf
SHA256

ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487
SHA512

9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0
SSDEEP

49152:CYnF4XAvvLEDnAby0/1lzR+aJAyPfugmqNiEQG8+ECYoue5S58pzEIOh4xsPub7T:z7OryzzCJf0zBxMkeWg+O2

Score

10^/10

lucastealer evasion persistence stealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000231f6-7.dat	family_lucastealer
behavioral2/files/0x00070000000231f6-8.dat	family_lucastealer

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
2080	acnbzd.exe
4088	icsys.icn.exe
3940	explorer.exe
2208	spoolsv.exe
4372	svchost.exe
1436	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4088	icsys.icn.exe
4088	icsys.icn.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
4372	svchost.exe
3940	explorer.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe
4372	svchost.exe
4372	svchost.exe
3940	explorer.exe
3940	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3940	explorer.exe
4372	svchost.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1176	ACNBZD.exe
1176	ACNBZD.exe
4088	icsys.icn.exe
4088	icsys.icn.exe
3940	explorer.exe
3940	explorer.exe
2208	spoolsv.exe
2208	spoolsv.exe
4372	svchost.exe
4372	svchost.exe
1436	spoolsv.exe
1436	spoolsv.exe
3940	explorer.exe
3940	explorer.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 2080	1176	ACNBZD.exe	81
PID 1176 wrote to memory of 2080	1176	ACNBZD.exe	81
PID 1176 wrote to memory of 4088	1176	ACNBZD.exe	84
PID 1176 wrote to memory of 4088	1176	ACNBZD.exe	84
PID 1176 wrote to memory of 4088	1176	ACNBZD.exe	84
PID 4088 wrote to memory of 3940	4088	icsys.icn.exe	85
PID 4088 wrote to memory of 3940	4088	icsys.icn.exe	85
PID 4088 wrote to memory of 3940	4088	icsys.icn.exe	85
PID 3940 wrote to memory of 2208	3940	explorer.exe	86
PID 3940 wrote to memory of 2208	3940	explorer.exe	86
PID 3940 wrote to memory of 2208	3940	explorer.exe	86
PID 2208 wrote to memory of 4372	2208	spoolsv.exe	87
PID 2208 wrote to memory of 4372	2208	spoolsv.exe	87
PID 2208 wrote to memory of 4372	2208	spoolsv.exe	87
PID 4372 wrote to memory of 1436	4372	svchost.exe	88
PID 4372 wrote to memory of 1436	4372	svchost.exe	88
PID 4372 wrote to memory of 1436	4372	svchost.exe	88
PID 4372 wrote to memory of 3928	4372	svchost.exe	90
PID 4372 wrote to memory of 3928	4372	svchost.exe	90
PID 4372 wrote to memory of 3928	4372	svchost.exe	90
PID 4372 wrote to memory of 5100	4372	svchost.exe	98
PID 4372 wrote to memory of 5100	4372	svchost.exe	98
PID 4372 wrote to memory of 5100	4372	svchost.exe	98
PID 4372 wrote to memory of 4536	4372	svchost.exe	100
PID 4372 wrote to memory of 4536	4372	svchost.exe	100
PID 4372 wrote to memory of 4536	4372	svchost.exe	100
PID 4372 wrote to memory of 4108	4372	svchost.exe	102
PID 4372 wrote to memory of 4108	4372	svchost.exe	102
PID 4372 wrote to memory of 4108	4372	svchost.exe	102
PID 4372 wrote to memory of 3876	4372	svchost.exe	104
PID 4372 wrote to memory of 3876	4372	svchost.exe	104
PID 4372 wrote to memory of 3876	4372	svchost.exe	104

C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe
"C:\Users\Admin\AppData\Local\Temp\ACNBZD.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176
- \??\c:\users\admin\appdata\local\temp\acnbzd.exe
  c:\users\admin\appdata\local\temp\acnbzd.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Users\Admin\AppData\Local\icsys.icn.exe
  C:\Users\Admin\AppData\Local\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4088
- - \??\c:\windows\system\explorer.exe
    c:\windows\system\explorer.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - \??\c:\windows\system\spoolsv.exe
      c:\windows\system\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2208
    - - \??\c:\windows\system\svchost.exe
        
        c:\windows\system\svchost.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4372
      - \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1436
      - C:\Windows\SysWOW64\at.exe
        
        at 22:45 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3928
      - C:\Windows\SysWOW64\at.exe
        
        at 22:46 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:5100
      - C:\Windows\SysWOW64\at.exe
        
        at 22:47 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4536
      - C:\Windows\SysWOW64\at.exe
        
        at 22:48 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:4108
      - C:\Windows\SysWOW64\at.exe
        
        at 22:49 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
        6⤵
        
        PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe

Filesize
206KB

MD5
ef482d58c091b5f9145b779f8fa47d05

SHA1
a3cb62075f16c99ed7bd9c79396d2f651de29983

SHA256
1bb97a2a1c50ce5565362c1fafe0a0f77de245d86d718d15f40591126147fc1b

SHA512
188eebbffe45a06aaa247a020481adf2786e06c32476cf80d2e5b0ccacdde926850d152b5abffdd7d58584522375ee0e0f8fe10959030211c4f61a17ec063925

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
4b4aa369b34ca6e9663d391d2bf3ba26

SHA1
34c790bcf88ee55b61f5b66f153a6d15dae13890

SHA256
9d70af30fc0d775bffa7a90778b30eee70ac9cde1235ebd484887b6f49d54237

SHA512
a87d6aba4ad019aa0dba8436fd2cd91948e65759dca1464cc3fa26d163206494b3668d7e52370049fcf83791a1b2c1d48d3cf08d67f1c2952a9c70ac0d35d1de

Download Submit
C:\Windows\System\explorer.exe

Filesize
206KB

MD5
4b4aa369b34ca6e9663d391d2bf3ba26

SHA1
34c790bcf88ee55b61f5b66f153a6d15dae13890

SHA256
9d70af30fc0d775bffa7a90778b30eee70ac9cde1235ebd484887b6f49d54237

SHA512
a87d6aba4ad019aa0dba8436fd2cd91948e65759dca1464cc3fa26d163206494b3668d7e52370049fcf83791a1b2c1d48d3cf08d67f1c2952a9c70ac0d35d1de

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
43b8bbcc0b6ae3184651a1ede88a8e6c

SHA1
72ed2113dc9007292a9a5782c30a45dd13c4d668

SHA256
067ca770918c6ef8620a393b31e87139ffee020a06ecbffdb37f72800da5aaa8

SHA512
cafdd6dab1e4488473a2fbc52303ed52952772ca982088629acc413709513a08b036d893e7d18b21e150423d52797538fbe75ec51dc4c3671aa96cbc9b8d57af

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
206KB

MD5
43b8bbcc0b6ae3184651a1ede88a8e6c

SHA1
72ed2113dc9007292a9a5782c30a45dd13c4d668

SHA256
067ca770918c6ef8620a393b31e87139ffee020a06ecbffdb37f72800da5aaa8

SHA512
cafdd6dab1e4488473a2fbc52303ed52952772ca982088629acc413709513a08b036d893e7d18b21e150423d52797538fbe75ec51dc4c3671aa96cbc9b8d57af

Download Submit
C:\Windows\System\svchost.exe

Filesize
207KB

MD5
ff2668b17300963c2a1f1864f212c257

SHA1
ad584b9391464f8ef8b7edf3dfb25aedb70b1628

SHA256
cf935de35387c7f87f668013288ed94cb882a8e6aa79e742ea5fadad17a8c21f

SHA512
0c17c274fb06ab32e30e39b17bcda919eeb0da454aa442d08082d9af06fd0fce82b9491e079424c3ab5ba2f88de1ccf2a404054d3897dcc89aecc2ece1214b34

Download Submit
\??\c:\users\admin\appdata\local\temp\acnbzd.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
206KB

MD5
4b4aa369b34ca6e9663d391d2bf3ba26

SHA1
34c790bcf88ee55b61f5b66f153a6d15dae13890

SHA256
9d70af30fc0d775bffa7a90778b30eee70ac9cde1235ebd484887b6f49d54237

SHA512
a87d6aba4ad019aa0dba8436fd2cd91948e65759dca1464cc3fa26d163206494b3668d7e52370049fcf83791a1b2c1d48d3cf08d67f1c2952a9c70ac0d35d1de

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
206KB

MD5
43b8bbcc0b6ae3184651a1ede88a8e6c

SHA1
72ed2113dc9007292a9a5782c30a45dd13c4d668

SHA256
067ca770918c6ef8620a393b31e87139ffee020a06ecbffdb37f72800da5aaa8

SHA512
cafdd6dab1e4488473a2fbc52303ed52952772ca982088629acc413709513a08b036d893e7d18b21e150423d52797538fbe75ec51dc4c3671aa96cbc9b8d57af

Download Submit
\??\c:\windows\system\svchost.exe

Filesize
207KB

MD5
ff2668b17300963c2a1f1864f212c257

SHA1
ad584b9391464f8ef8b7edf3dfb25aedb70b1628

SHA256
cf935de35387c7f87f668013288ed94cb882a8e6aa79e742ea5fadad17a8c21f

SHA512
0c17c274fb06ab32e30e39b17bcda919eeb0da454aa442d08082d9af06fd0fce82b9491e079424c3ab5ba2f88de1ccf2a404054d3897dcc89aecc2ece1214b34

Download Submit
memory/1176-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1176-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-44-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4088-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4372-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download