Analysis
-
max time kernel
40s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 12:06
Behavioral task
behavioral1
Sample
BLTools v2.9 [PRO].exe
Resource
win10v2004-20240508-en
General
-
Target
BLTools v2.9 [PRO].exe
-
Size
7.1MB
-
MD5
bef86c9792f7f8bc658ca1d1bce63c60
-
SHA1
d7d3fe3ae1e950cd4192d46a0bf6505ec3858689
-
SHA256
2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb
-
SHA512
6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7
-
SSDEEP
98304:LinmCgeyQbyt5fTQ7lN7jGb5XQueha05FK7Km53t/VXCRjwsRMJnq2ISUMRlEGy:L0/UVQ7D+b56ha07K7KettcVFcIG
Malware Config
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/988-3-0x00007FF6DAD00000-0x00007FF6DBBD2000-memory.dmp vmprotect behavioral1/memory/988-55-0x00007FF6DAD00000-0x00007FF6DBBD2000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: BLTools v2.9 [PRO].exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 988 BLTools v2.9 [PRO].exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe 988 BLTools v2.9 [PRO].exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 968 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 968 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 [PRO].exe"C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 [PRO].exe"1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:988
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x4ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:968
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57b3579220043b695d6fb78ac07b58c98
SHA1dc6bca6c1ed95bd54e59128165ec3a53b227d0fd
SHA2562a88d713e253a1cd9ac0f8c78873dcf0fe378a0b2cfda0ad225c5127fb614053
SHA5128ac3e8b36de395e28601a8f3ec3d688619695b6028dedd7e965a11fd0f02cce95a6570e4378d3221e4f3e0aad08f6ab21cabd05d4fbff2ecd58ddcff5444ad7b