lucastealer | MQVIFDDBKZ[.]bin[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

MQVIFDDBKZ.bin.zip
Size

2.0MB
MD5

95aa5131df54068b7883b849888e91e2
SHA1

76012d35c71189922d6f66c09f96cc076a14d572
SHA256

a7f20208e2acdaef29b5684758c3d6c330ecf984982dcbb837ba162c88290950
SHA512

65dcef53bd3c79fc79cebef50f205d94cba59f3f94f38591999e4c4486c9e1fa51d1d280de1e86ece47101336b0c08ebd87b42a2059b689c4bf49864666df1d9
SSDEEP

49152:y6RVwfL+6Oncd50MHHmYH5bU8vOCYZqGCXZNI2ZM:+L+6OcwoGYRvOC+YXd6

Score

10^/10

lucastealer

Malware Config

Signatures

Luca Stealer payload 1 IoCs

resource	yara_rule
static1/unpack001/MQVIFDDBKZ.bin	family_lucastealer

Lucastealer family
lucastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/MQVIFDDBKZ.bin

Files

MQVIFDDBKZ.bin.zip
.zip

Password: infected
MQVIFDDBKZ.bin
.exe windows:6 windows x64

af03596c917fe96119e9e3ce1216a3d5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

ntdll

NtDeviceIoControlFile
NtCreateFile
NtWriteFile
RtlNtStatusToDosError
NtCancelIoFileEx
RtlUnwindEx
RtlPcToFileHeader
RtlLookupFunctionEntry
NtReadFile
RtlCaptureContext
RtlVirtualUnwind

kernel32

CreateIoCompletionPort
GetFinalPathNameByHandleW
SetLastError
WaitForMultipleObjects
GetOverlappedResult
WaitForSingleObject
GetExitCodeProcess
AddVectoredExceptionHandler
SetThreadStackGuarantee
GetSystemInfo
WakeAllConditionVariable
GetFileInformationByHandle
WideCharToMultiByte
GlobalSize
SetFileCompletionNotificationModes
TryAcquireSRWLockExclusive
SwitchToThread
GetModuleHandleA
GetCurrentThread
ReleaseSRWLockExclusive
GetStdHandle
GetConsoleMode
WriteConsoleW
WaitForSingleObjectEx
GetQueuedCompletionStatusEx
CreateMutexA
ReleaseMutex
GetEnvironmentVariableW
GetModuleHandleW
FormatMessageW
GetTempPathW
GetModuleFileNameW
CreateFileW
GetFileInformationByHandleEx
GetFullPathNameW
SetFilePointerEx
FindNextFileW
CreateDirectoryW
FindFirstFileW
FindClose
GlobalUnlock
GlobalLock
GlobalAlloc
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
DuplicateHandle
CreateNamedPipeW
CreateThread
Sleep
SleepEx
WriteFileEx
CreateEventW
CancelIo
ReadFile
LoadLibraryExW
QueryPerformanceFrequency
GetSystemTimeAsFileTime
GetCurrentDirectoryW
AcquireSRWLockShared
ReleaseSRWLockShared
CopyFileExW
SleepConditionVariableSRW
SetHandleInformation
GlobalFree
HeapReAlloc
GetProcessHeap
PostQueuedCompletionStatus
WakeConditionVariable
HeapAlloc
GetCurrentProcess
UnhandledExceptionFilter
GetLastError
SetUnhandledExceptionFilter
TerminateProcess
CloseHandle
IsProcessorFeaturePresent
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
FreeLibrary
SystemTimeToFileTime
GetFileSize
LockFileEx
LocalFree
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
AcquireSRWLockExclusive
InitializeSListHead
IsDebuggerPresent
GetProcAddress
LoadLibraryA
HeapFree
ReadFileEx
EncodePointer
RaiseException
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetCurrentProcessId
QueryPerformanceCounter

oleaut32

SysAllocStringLen
SysFreeString
SafeArrayGetUBound
SafeArrayAccessData
VariantClear
SafeArrayDestroy
SafeArrayUnaccessData
SafeArrayGetLBound

ws2_32

WSASocketW
WSAGetLastError
accept
listen
send
shutdown
bind
ioctlsocket
socket
closesocket
WSAIoctl
getpeername
getsockname
getsockopt
recv
WSASend
WSACleanup
WSAStartup
connect
getaddrinfo
setsockopt
freeaddrinfo

crypt32

CertDuplicateStore
CertCloseStore
CertOpenStore
CertGetCertificateChain
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertFreeCertificateChain
CertFreeCertificateContext
CertDuplicateCertificateContext
CryptUnprotectData
CertVerifyCertificateChainPolicy
CertDuplicateCertificateChain

user32

EnumDisplaySettingsExW
OpenClipboard
GetClipboardData
CloseClipboard
EnumDisplayMonitors
GetMonitorInfoW
EmptyClipboard
SetClipboardData

bcrypt

BCryptGenRandom

advapi32

RegOpenKeyExW
CheckTokenMembership
FreeSid
SystemFunction036
RegCloseKey
AllocateAndInitializeSid
RegQueryValueExW

secur32

AcquireCredentialsHandleA
FreeContextBuffer
AcceptSecurityContext
FreeCredentialsHandle
ApplyControlToken
EncryptMessage
DeleteSecurityContext
DecryptMessage
QueryContextAttributesW
InitializeSecurityContextW

ole32

CoSetProxyBlanket
CoInitializeSecurity
CoInitializeEx
CoCreateInstance

gdi32

GetObjectW
DeleteObject
SelectObject
GetDIBits
StretchBlt
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
DeleteDC
GetDeviceCaps
SetStretchBltMode

api-ms-win-crt-string-l1-1-0

strcmp
strcspn
strncmp
wcsncmp
strcpy_s
strlen

api-ms-win-crt-math-l1-1-0

pow
_dclass
__setusermatherr
log

api-ms-win-crt-heap-l1-1-0

realloc
free
_msize
calloc
_set_new_mode
malloc

api-ms-win-crt-utility-l1-1-0

_rotl64
qsort

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-runtime-l1-1-0

abort
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
_seh_filter_exe
_initterm_e
exit
terminate
_crt_atexit
_exit
_endthreadex
_register_thread_local_exe_atexit_callback
_beginthreadex
_set_app_type
_initialize_onexit_table
_c_exit
_initterm
__p___argc
_register_onexit_function
__p___argv
_cexit

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 3.0MB - Virtual size: 3.0MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 70KB - Virtual size: 70KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 29KB - Virtual size: 29KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

af03596c917fe96119e9e3ce1216a3d5

Headers

DLL Characteristics

File Characteristics

Imports

ntdll

kernel32

oleaut32

ws2_32

crypt32

user32

bcrypt

advapi32

secur32

ole32

gdi32

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 3.0MB - Virtual size: 3.0MB

.rdata Size: 1.1MB - Virtual size: 1.1MB

.data Size: 24KB - Virtual size: 27KB

.pdata Size: 70KB - Virtual size: 70KB

_RDATA Size: 512B - Virtual size: 348B

.reloc Size: 29KB - Virtual size: 29KB

.text
Size: 3.0MB - Virtual size: 3.0MB

.rdata
Size: 1.1MB - Virtual size: 1.1MB

.data
Size: 24KB - Virtual size: 27KB

.pdata
Size: 70KB - Virtual size: 70KB

_RDATA
Size: 512B - Virtual size: 348B

.reloc
Size: 29KB - Virtual size: 29KB