lucastealer | 8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2

General

Target

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
Size

7.6MB
MD5

4468b7d8b19786f8d0dec5066bfd1ea0
SHA1

57a072f94c5cc277702c985cccf2e9deff355bb0
SHA256

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2
SHA512

98900d5974b19e83455ea6c5abf1847aabd484b7a5ac0fb131c5cd369cf161fe1c053dcd00c7c26a851b3f0f1c88649a96fe9fbac531e3dbbf8967e0e3dc3bc3
SSDEEP

196608:Tc1M+L5LdGVzu+l6qbGEanloOTe8dUFazO:Tw5LdGVzBEHPPe5FOO

Score

10^/10

lucastealer discovery persistence stealer

Malware Config

Extracted

Family

lucastealer

C2

https://api.telegram.org/bot6068798932:AAG_cHiqinDwNZ3Hd-rdp8tPwbT0czdVwTw

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Drops startup file 1 IoCs

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WPZAGW.lnk	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

Executes dropped EXE 4 IoCs

Processes:

JAVWEP.exeMIYJHY.exemiyjhy.exe javwep.exe

pid	Process
2744	JAVWEP.exe
1780	MIYJHY.exe
1348	miyjhy.exe
2176	javwep.exe

Loads dropped DLL 14 IoCs

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exeMIYJHY.exeJAVWEP.exemiyjhy.exe

pid	Process
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
1780	MIYJHY.exe
2744	JAVWEP.exe
2744	JAVWEP.exe
1348	miyjhy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\WPZAGW = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Microsoft Office Click-to-Run.exe\""	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exe8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exeJAVWEP.exeMIYJHY.exemiyjhy.exe cmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAVWEP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MIYJHY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	miyjhy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

pid	Process
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

pid	Process
2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

JAVWEP.exeMIYJHY.exe

pid	Process
2744	JAVWEP.exe
2744	JAVWEP.exe
1780	MIYJHY.exe
1780	MIYJHY.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exeMIYJHY.exeJAVWEP.execmd.exe

description	pid	Process	procid_target
PID 2880 wrote to memory of 2744	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	30
PID 2880 wrote to memory of 2744	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	30
PID 2880 wrote to memory of 2744	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	30
PID 2880 wrote to memory of 2744	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	30
PID 2880 wrote to memory of 1780	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	31
PID 2880 wrote to memory of 1780	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	31
PID 2880 wrote to memory of 1780	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	31
PID 2880 wrote to memory of 1780	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	31
PID 1780 wrote to memory of 1348	1780	MIYJHY.exe	32
PID 1780 wrote to memory of 1348	1780	MIYJHY.exe	32
PID 1780 wrote to memory of 1348	1780	MIYJHY.exe	32
PID 1780 wrote to memory of 1348	1780	MIYJHY.exe	32
PID 2744 wrote to memory of 2176	2744	JAVWEP.exe	33
PID 2744 wrote to memory of 2176	2744	JAVWEP.exe	33
PID 2744 wrote to memory of 2176	2744	JAVWEP.exe	33
PID 2744 wrote to memory of 2176	2744	JAVWEP.exe	33
PID 2880 wrote to memory of 1116	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	35
PID 2880 wrote to memory of 1116	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	35
PID 2880 wrote to memory of 1116	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	35
PID 2880 wrote to memory of 1116	2880	8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe	35
PID 1116 wrote to memory of 1440	1116	cmd.exe	37
PID 1116 wrote to memory of 1440	1116	cmd.exe	37
PID 1116 wrote to memory of 1440	1116	cmd.exe	37
PID 1116 wrote to memory of 1440	1116	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe
"C:\Users\Admin\AppData\Local\Temp\8ef1aee012f515e5434932fb73ae7d238c2c547d9306dd42cf4f3c4af87cead2N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\JAVWEP.exe
  "C:\Users\Admin\AppData\Local\Temp\JAVWEP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2744
- - \??\c:\users\admin\appdata\local\temp\javwep.exe
    c:\users\admin\appdata\local\temp\javwep.exe
    3⤵
    - Executes dropped EXE
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\MIYJHY.exe
  "C:\Users\Admin\AppData\Local\Temp\MIYJHY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - \??\c:\users\admin\appdata\local\temp\miyjhy.exe
    c:\users\admin\appdata\local\temp\miyjhy.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /create /tn WPZAGW.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn WPZAGW.exe /tr C:\Users\Admin\AppData\Roaming\Windata\Microsoft Office Click-to-Run.exe /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\javwep.exe

Filesize
5.7MB

MD5
2c2055233260e5bb20ce675afd39ed0d

SHA1
26c056ba8e99a3fb523612b422a85be3ecbbd5b3

SHA256
306827f0ef0a4cbecd5458776244bf7ee99f2e49569daf0034176b39f5d1c17d

SHA512
3e2a18cd0c7fe5e3529d37ac37b352f8c19d3fef947f117701bb712c19cb40ff3ed56c843c789334a6c93382deef1f5cf4a48fbadb6b1e46fe804b9430fa1546

Download Submit
C:\Users\Admin\AppData\Local\Temp\miyjhy.exe

Filesize
2.8MB

MD5
c322f83a5e9f2231f48436fdf14dbfe7

SHA1
2ecfcd7bb8f3d04dbc6c2f14a1456727d5cb68e0

SHA256
c27aad70501f9346e36d3557e01ec2fe84c192ffb75e588c7b787e6d3310909d

SHA512
055815ec2d97ab687fdc65ab636c0de003472d030caf83e0248978ab059d00b0d70b660860a541fee8259c66bdde1ba700909982472d1d1dd3076fa9d5be3663

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe

Filesize
206KB

MD5
c5f78d788265a8c2b80017a0dc351266

SHA1
32836c3ccaf84431beaba1b10107743c052cddc0

SHA256
0a48908b44578715b511d6c067b2b0c1351783c049c68183f6067afff1ff72d0

SHA512
0315d122adf425001109bae742a1aff418f301f46c3655bf3e3d0c12ecc03ac3d70b52a60a744f81b7b041d28bf235f3d93abc26c71bfdd388be6a145a1bbb16

Download Submit
\Users\Admin\AppData\Local\Temp\JAVWEP.exe

Filesize
5.9MB

MD5
021079dc0918b9c7359e93e770678000

SHA1
70c03da6f7b339340b1943f5d0b7b1fd87579adf

SHA256
ee63e26e84d8092fda9e527f7db34777b6261d8dfc96ed42167383f88cf1c487

SHA512
9bc14753e39f2c93737886439d64a458f08265d1d8176c233a8e3f864e1f4f2751b161aa22408618d0dd343fb88b7037c8c2eee898c6d9b3bf466aaea709c5b0

Download Submit
\Users\Admin\AppData\Local\Temp\MIYJHY.exe

Filesize
3.0MB

MD5
4f2b20a8226b6e6c7cdd2a3b49b466b6

SHA1
ae13c508f617d6f61743c9844c7dbf21bf363583

SHA256
f912c3ab51ae85bee31e275014ced975a8ccb7fde6c2bfe26f2ac48d037a4a62

SHA512
f70c4e74104fad77a493a8453c3b8143445e67391dda0e8de82a59d16f3ec5dbeefc6d1c1e497b24e3338d3fd1deed8233992904aeda6fbdca94a0ac535b30ea

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
2.7MB

MD5
6f3f670a000253bc889c7688a1013e55

SHA1
51032eda76e8979df2772b460f6fa316084a4767

SHA256
3a2ee216222e310b9bdecb4ed1ba369fe56de3e9a11089629c5e111f2d1c6fce

SHA512
a3f8a11b1bc3b6113d3ce5610f8bdfaabf603f38ad50756c0aaa5c52e57e4245bb49dd8d4f01aca39ff81f2724c5c78419c0607b8a9999ecca973d7c0415c15f

Download Submit
memory/1348-84-0x0000000074C10000-0x0000000074EE1000-memory.dmp

Filesize
2.8MB

Download
memory/1348-74-0x0000000074C10000-0x0000000074EE1000-memory.dmp

Filesize
2.8MB

Download
memory/1780-76-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1780-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-30-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2744-78-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2880-22-0x0000000003520000-0x0000000003560000-memory.dmp

Filesize
256KB

Download
memory/2880-12-0x0000000003520000-0x0000000003560000-memory.dmp

Filesize
256KB

Download
memory/2880-82-0x0000000003520000-0x0000000003560000-memory.dmp

Filesize
256KB

Download
memory/2880-83-0x0000000003520000-0x0000000003560000-memory.dmp

Filesize
256KB

Download
memory/2880-13-0x0000000003520000-0x0000000003560000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads