lucastealer | f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077 | Triage

Submit
Reports

Overview

overview

Static

static

3

f543698185...JC.exe

windows7-x64

f543698185...JC.exe

windows10-2004-x64

Sharing

General

Target

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
Size

54.3MB
Sample

231014-ejrcdahc76
MD5

ccf8ac85bd8c852fe818875ad7cdccd4
SHA1

1938cfb720e3a0fe2af2aaf28755d9d2749f65af
SHA256

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077
SHA512

ef9253507d90b1731f05811ba4ed263ecccbc1e8abdcaf1ee7b2f9a5ce5cf66dedb3c5ca99a47b9516aa8ae7bf7c07c0a7b98f7eec33e33bb7b1eda7abf7911f
SSDEEP

1572864:YXog+tP2EY414hjFiHaAXH7JxA+GBO+shlvjgg9sf:8t+tP12E3Ud43h1cg9

Score

10^/10

lucastealer xworm persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe

Resource

win7-20230831-en

lucastealer xworm persistence rat stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe

Resource

win10v2004-20230915-en

lucastealer xworm persistence rat stealer trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

3.1

C2

216.230.73.215:6789

Mutex

JhB3xwmTJqR9i5Pu

Attributes

Install_directory
%ProgramData%
install_file
SyncHost.exe
telegram
https://api.telegram.org/bot6051093382:AAFB_OlEEXCr5NVu4fhuf3m_RPUHXO-LxuA/sendMessage?chat_id=1876538826

aes.plain

Targets

- Target
  
  f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077_JC.exe
- Size
  
  54.3MB
- MD5
  
  ccf8ac85bd8c852fe818875ad7cdccd4
- SHA1
  
  1938cfb720e3a0fe2af2aaf28755d9d2749f65af
- SHA256
  
  f543698185b9317144afc30bef3fe4c225f4c6e1c02e8394702a37423f666077
- SHA512
  
  ef9253507d90b1731f05811ba4ed263ecccbc1e8abdcaf1ee7b2f9a5ce5cf66dedb3c5ca99a47b9516aa8ae7bf7c07c0a7b98f7eec33e33bb7b1eda7abf7911f
- SSDEEP
  
  1572864:YXog+tP2EY414hjFiHaAXH7JxA+GBO+shlvjgg9sf:8t+tP12E3Ud43h1cg9
Score

10^/10

lucastealer xworm persistence rat stealer trojan
- Detect Xworm Payload
- Luca Stealer
  Info stealer written in Rust first seen in July 2022.
  stealer lucastealer
- Luca Stealer payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

lucastealerxwormpersistenceratstealertrojan

behavioral2

lucastealerxwormpersistenceratstealertrojan

© 2018-2024

Terms | Privacy