lucastealer | 841f53fc09a19fc5edd5e18ef724432e14abadbd3aa040c248b2daeb84c98ab5

Analysis

max time kernel
86s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xone.crack.exe
Size

4.3MB
MD5

d8ce4ef56ff10aa1a9625d76509993bc
SHA1

a032f36290695d1f8f744d188d025993d62b1dab
SHA256

ab714198bd03a5b9577fe4f974f08eb8bc4d63de51ace8964f2dbc279c1c2f86
SHA512

84f2f1e205f90b2c48304481f300c7dd171a59f9f2fdbae00279578aae2164e0db162c78d75024779064728f47e98de49a67a9d6b5b14e80f1d650b8c11d9e83
SSDEEP

49152:XJzG4XQxvHUmPbLHzDJLwvGEzgFuDOkWHYgEETBLunBwHAN5CHhCwoqmDuxZs8Dz:RkvHUmv1+Ge0Yh4voqmDu0WxcyRZmH

Score

10^/10

lucastealer spyware stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

xone.crack.exe

description	ioc	Process
File opened (read-only)	\??\F:	xone.crack.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

xone.crack.exe

pid	Process
3864	xone.crack.exe
3864	xone.crack.exe
3864	xone.crack.exe
3864	xone.crack.exe
3864	xone.crack.exe
3864	xone.crack.exe

C:\Users\Admin\AppData\Local\Temp\xone.crack.exe
"C:\Users\Admin\AppData\Local\Temp\xone.crack.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads