Overview

overview

10

Static

static

5

5c716264ac...9e.exe

windows7-x64

10

5c716264ac...9e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5c716264acfa43a258fdb03007e2e787b230230e7e1d4d5bbcf256810b02909e

  • Size

    4.6MB

  • Sample

    231120-jxyqtsee89

  • MD5

    4fb226993825558cca2e8aa844033078

  • SHA1

    f3fa3d94a7a01970a99f9dcf5fad250be30b8fd2

  • SHA256

    5c716264acfa43a258fdb03007e2e787b230230e7e1d4d5bbcf256810b02909e

  • SHA512

    c5ab520f0953ed53e682d811b6d51be11c4e831fa890913d1d2eb7ed03e2102c882f933f48bf8831b8ca5a605da7a98a6524b5a5cb6de1fd9d16351a2b53a2f8

  • SSDEEP

    98304:utrbTA143lUrmaEXLW6jRhdGVQguhhW31Zo:Qc14IML5LdGVzu+la

Score
10/10
lucastealerevasionpersistencestealer

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Targets

    • Target

      5c716264acfa43a258fdb03007e2e787b230230e7e1d4d5bbcf256810b02909e

    • Size

      4.6MB

    • MD5

      4fb226993825558cca2e8aa844033078

    • SHA1

      f3fa3d94a7a01970a99f9dcf5fad250be30b8fd2

    • SHA256

      5c716264acfa43a258fdb03007e2e787b230230e7e1d4d5bbcf256810b02909e

    • SHA512

      c5ab520f0953ed53e682d811b6d51be11c4e831fa890913d1d2eb7ed03e2102c882f933f48bf8831b8ca5a605da7a98a6524b5a5cb6de1fd9d16351a2b53a2f8

    • SSDEEP

      98304:utrbTA143lUrmaEXLW6jRhdGVQguhhW31Zo:Qc14IML5LdGVzu+la

    Score
    10/10
    lucastealerevasionpersistencestealer

    • Luca Stealer

      Info stealer written in Rust first seen in July 2022.

      stealerlucastealer

    • Modifies WinLogon for persistence

      persistence

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

4
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks