Overview

overview

10

Static

static

3

payload.exe

windows7-x64

10

payload.exe

windows10-1703-x64

10

payload.exe

windows10-2004-x64

10

Resubmissions

02-11-2023 21:08

231102-zy2f4shf43 10

02-11-2023 19:29

231102-x7fjwsec8w 10

30-06-2023 11:57

230630-n4mdlaae31 7

Analysis

  • max time kernel
    220s
  • max time network
    275s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2023 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payload.exe

  • Size

    9.0MB

  • MD5

    f6c5df8944a965d0d3aa2e124a1935af

  • SHA1

    3ff36a13827d193a85eed40b59646bad1d676986

  • SHA256

    41554c195bc8c87ddb8bbeacefe77c033f56549a03361dd76c2243546dd1f2d8

  • SHA512

    8d75df03c33e9288b2d4b9e941c89ca2e0e7008e151ee3c104292427266043050f9966d0ff6e5c46890bde404337873768a4cde255778418144766646d08ceae

  • SSDEEP

    196608:cTEcVnJULKrytYcJX7Nfjw9cI1qyz+6weSn5NeCX4X6:4EcVnukcJLtlIwqwemrePX6

Score
10/10
lucastealerspywarestealer

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot5749635914:AAHO1FmA3UVCNqptBOADqQF-cFGUoMOYe6g

Signatures

  • Luca Stealer

    Info stealer written in Rust first seen in July 2022.

    stealerlucastealer
  • Luca Stealer payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\payload.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4252

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KPE1Q5PCl9ws2dwccNMnDjZbNIS7nR\sensfiles.zip
    Filesize

    3.2MB

    MD5

    089a898b91faef27b64f5e313db7cbfb

    SHA1

    bdd3368d4d46c1490690cbfdef7f27aa82980a7b

    SHA256

    23e51a8d829d268c2b5f7eb6826e45598ff258d602f7001eec8cb5fe2fc0ba54

    SHA512

    749ff4b7fa308e76f5040a5e6b964af011ea44e81134995bfe9391f8ec90dafebaf660f658aad81e08d99078d29b49b54d3516040bb83f8895919f3cec8dcfce

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mgazwm5r.5fd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vivaldi_default_login_data
    Filesize

    48KB

    MD5

    349e6eb110e34a08924d92f6b334801d

    SHA1

    bdfb289daff51890cc71697b6322aa4b35ec9169

    SHA256

    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

    SHA512

    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

    Download Submit

  • memory/1400-2-0x00007FF7E9BE0000-0x00007FF7EAC77000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1400-1-0x00007FF7E9BE0000-0x00007FF7EAC77000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1400-72-0x00007FF7E9BE0000-0x00007FF7EAC77000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1400-70-0x00007FF7E9BE0000-0x00007FF7EAC77000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1400-0-0x00007FFA04AD0000-0x00007FFA04AD2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4252-17-0x000001F341100000-0x000001F341110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-23-0x00007FF9E5600000-0x00007FF9E60C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4252-19-0x000001F341100000-0x000001F341110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-18-0x000001F341100000-0x000001F341110000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4252-16-0x00007FF9E5600000-0x00007FF9E60C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4252-6-0x000001F35CF60000-0x000001F35CF82000-memory.dmp

    Filesize

    136KB

    Download