Analysis
-
max time kernel
106s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 23:06
Behavioral task
behavioral1
Sample
BLTools_v2.9__PRO_.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
BLTools_v2.9__PRO_.zip
Resource
win10v2004-20241007-en
General
-
Target
BLTools_v2.9__PRO_.zip
-
Size
9.9MB
-
MD5
8586f2582de2dac652004ce8818a7741
-
SHA1
6c940e8dbe7ddfd23ea0efb79087728651d1aa9f
-
SHA256
c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5
-
SHA512
ce7cefe5c485316f94ba9034df5839cbaf71f1013b9e78ef313c70427bae9245849a2aa9df05dfd38c47b8719ad00aca5b8f9ce0e8a6d3c7e874b56d003b5e33
-
SSDEEP
196608:7Zkf5xM9FU495KnWXeWYGLq2uFn440rzX5ub18l3V2aC2/5K5ZD7Reu7ZvTvwqVn:lxvnuWLqR440/pCQ3k4w5Z9ZvzwOSsm2
Malware Config
Signatures
-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Lucastealer family
-
Executes dropped EXE 2 IoCs
pid Process 4468 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
resource yara_rule behavioral2/files/0x0007000000023ca8-395.dat vmprotect behavioral2/memory/4468-403-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp vmprotect behavioral2/memory/4468-444-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp vmprotect behavioral2/memory/4404-450-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp vmprotect -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: BLTools v2.9 [PRO].exe File opened (read-only) \??\F: BLTools v2.9 [PRO].exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4468 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4468 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe 4404 BLTools v2.9 [PRO].exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1488 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1488 7zFM.exe Token: 35 1488 7zFM.exe Token: SeSecurityPrivilege 1488 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1488 7zFM.exe 1488 7zFM.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5028
-
C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4468
-
C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers.txt
Filesize8KB
MD50847bf790b4d7ec5c05bf5ecf911d3b4
SHA16740f67e54ca510b34fbc7e959e062cc004d9c4d
SHA2568777ed29ad8d3c4fcd45d9e55dd6ce072a32227198ff6ce7bcbdaaa7b5d23055
SHA512c8ad15124e66eb46a39f42c883b8c6d0241affefa2c77957878b39c49533147da0e3be4c1e31fb1579574c6fc98899ab61d46669aaf04a04dacccd81d6f5d998
-
C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt
Filesize2KB
MD5bef31f66287ccd0f96bc48f105538573
SHA105fa574f3a934b69bf4ba3a07626d408ae5ee2e5
SHA256fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279
SHA512bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9
-
C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers\[11 sub] [4 videos] [47 views] [monetize false] [brand false] [1 channels] [Joined Jan 24, 2015].txt
Filesize3KB
MD501e104c694b1a15a6eda3c381f424e12
SHA19b960d2573b71f60605e10e6113c92aedf21c89e
SHA25689c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0
SHA5125376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c
-
Filesize
20KB
MD517141355c3716c4dbbdf5d4e61c3a8ef
SHA18f90ca8eb5296ff1564d8dc6b6a693e977d998d4
SHA25686410035eef0cfc78737f7b84a8d287dbca5667aadeabf2e2f9d65c82b7bb604
SHA512eae25322290fc6325dce38f841cbf86ec7beba242111d8317c1748ea363007451b78fcaff5b7682043e0c751c58d60378ee5a604db2821a465a3b56d788a4cd6
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD5a1eeb9d95adbb08fa316226b55e4f278
SHA1b36e8529ac3f2907750b4fea7037b147fe1061a6
SHA2562281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7
SHA512f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
48B
MD5c5e3aa907426fce5f7dda2f67f6e9feb
SHA105a026e79141a612fdd6882e2a3ab9e15d3b7d6d
SHA25695c0e9ff6ff316f20aa3f151fbbcfa9163acc5c54628ad711bc5049c089e2d24
SHA512666c08f6cea97996d9dfd8a8d200f3d7f2362767014d695102f2fd5a1e2922987a1ec2359b7a7d0f6a6407a70a84446c18dacbd0f0b6f7a779176ffb636d15da
-
Filesize
259B
MD59ecdc35931fce5dbafcd776ae6f83767
SHA17f3e5aee4cf1aeab7f461fa031783d5d47dc1869
SHA2563c4065cc757b362d99eaee6c471230e508a3f6ae8892008750ee421a1919d770
SHA51254dadd19670308ff983ae0259cf05c4f4ce136be14edd710d9757a91a2bfc8b3d7cf7c9c39d215c3fb310b6eafdd58d00fd2fdf0dd5dd401d148ab6e43eaf524
-
Filesize
332B
MD5af4ef06b14d449c0617e565f43adcccc
SHA1b6abd8c514e63c954cb5a24dcc329b3d57c7717b
SHA256d718d3f46d79f858fab1028d390be017f93973270864979a797bf4a04e8b9a4c
SHA512ce42985ccb8e172149177623709ee26701e935507515875d7006cb864b76285c60af6f268062cb079d0d2adce8ca9bcffdcb2f49bc701726b7d3cc0b6e790dda
-
Filesize
2B
MD5e1c06d85ae7b8b032bef47e42e4c08f9
SHA171853c6197a6a7f222db0f1978c7cb232b87c5ee
SHA25675a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070
SHA512016ba8c4cfde65af99cb5fa8b8a37e2eb73f481b3ae34991666df2e04feb6c038666ebd1ec2b6f623967756033c702dde5f423f7d47ab6ed1827ff53783731f7
-
Filesize
296KB
MD57b7778aa8ebb09809b9dc829405b4ddb
SHA1ca766fe31c4bbf970fcf91916703d073253c61d5
SHA256a077325211d69f2baf13cf1e684d171556360f55f87b5d12c670d4b2ee1b06e0
SHA51244e587a5cab1cf122814b9f85b8996bf54a7e0ff445b649ef7a9ed77db695c6b97a1247040bf9fa51a0ebfc7baef9591e161b32a92f29d8f11e28c7c14ae9e0c
-
Filesize
7.1MB
MD5bef86c9792f7f8bc658ca1d1bce63c60
SHA1d7d3fe3ae1e950cd4192d46a0bf6505ec3858689
SHA2562ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb
SHA5126ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7