lucastealer | c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5

Analysis

max time kernel
106s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools_v2.9__PRO_.zip
Size

9.9MB
MD5

8586f2582de2dac652004ce8818a7741
SHA1

6c940e8dbe7ddfd23ea0efb79087728651d1aa9f
SHA256

c838c451a5edbc8ab8bd38a3d8d37623e97fa2f109d60bb7fe7b91d80279dbb5
SHA512

ce7cefe5c485316f94ba9034df5839cbaf71f1013b9e78ef313c70427bae9245849a2aa9df05dfd38c47b8719ad00aca5b8f9ce0e8a6d3c7e874b56d003b5e33
SSDEEP

196608:7Zkf5xM9FU495KnWXeWYGLq2uFn440rzX5ub18l3V2aC2/5K5ZD7Reu7ZvTvwqVn:lxvnuWLqR440/pCQ3k4w5Z9ZvzwOSsm2

Score

10^/10

lucastealer credential_access spyware stealer vmprotect

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Lucastealer family
lucastealer

Executes dropped EXE 2 IoCs

pid	Process
4468	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0007000000023ca8-395.dat	vmprotect
behavioral2/memory/4468-403-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp	vmprotect
behavioral2/memory/4468-444-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp	vmprotect
behavioral2/memory/4404-450-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	BLTools v2.9 [PRO].exe
File opened (read-only)	\??\F:	BLTools v2.9 [PRO].exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4468	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4468	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe
4404	BLTools v2.9 [PRO].exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1488	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1488	7zFM.exe
Token: 35	1488	7zFM.exe
Token: SeSecurityPrivilege	1488	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1488	7zFM.exe
1488	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BLTools_v2.9__PRO_.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5028

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe
"C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\NoSubscribers.txt

Filesize
8KB

MD5
0847bf790b4d7ec5c05bf5ecf911d3b4

SHA1
6740f67e54ca510b34fbc7e959e062cc004d9c4d

SHA256
8777ed29ad8d3c4fcd45d9e55dd6ce072a32227198ff6ce7bcbdaaa7b5d23055

SHA512
c8ad15124e66eb46a39f42c883b8c6d0241affefa2c77957878b39c49533147da0e3be4c1e31fb1579574c6fc98899ab61d46669aaf04a04dacccd81d6f5d998

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Sorted by Year\2023\[0 sub] [0 videos] [0 views] [monetize false] [brand false] [1 channels] [Дата регистрации 20 нояб. 2023 г.].txt

Filesize
2KB

MD5
bef31f66287ccd0f96bc48f105538573

SHA1
05fa574f3a934b69bf4ba3a07626d408ae5ee2e5

SHA256
fcd18d5be13b029daa30f1045c25c15c180642e514de3a84a11620cde73fd279

SHA512
bf23aa02241549a04abd0d6832e637a672b241e873d9eec58b22f4841d6d8cf6086053ec1501496f32943e328462c69843d13f951eb0eed719d3e2ba0c07f0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE0D5792A8\BLTools v2.9 [PRO]\[Results] Cookies Checker\[16.04.2024] [12.42.58]LOGI 2\YouTube\Subscribers\[11 sub] [4 videos] [47 views] [monetize false] [brand false] [1 channels] [Joined Jan 24, 2015].txt

Filesize
3KB

MD5
01e104c694b1a15a6eda3c381f424e12

SHA1
9b960d2573b71f60605e10e6113c92aedf21c89e

SHA256
89c11a75bbf7fcc2010309b687e47a11b73d5c6ea3933f942cacca573b8164e0

SHA512
5376068d78c10cc6b6bc5315893ec66938bf68a90be029f4c9a7907c71d9569f34ec420fb58b3c567eed60d236c6092debc5c83d608049b524419e2946ad9f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_cookies

Filesize
20KB

MD5
17141355c3716c4dbbdf5d4e61c3a8ef

SHA1
8f90ca8eb5296ff1564d8dc6b6a693e977d998d4

SHA256
86410035eef0cfc78737f7b84a8d287dbca5667aadeabf2e2f9d65c82b7bb604

SHA512
eae25322290fc6325dce38f841cbf86ec7beba242111d8317c1748ea363007451b78fcaff5b7682043e0c751c58d60378ee5a604db2821a465a3b56d788a4cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_login_data

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Google_webdata

Filesize
114KB

MD5
a1eeb9d95adbb08fa316226b55e4f278

SHA1
b36e8529ac3f2907750b4fea7037b147fe1061a6

SHA256
2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

SHA512
f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_login_data

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.zip

Filesize
48B

MD5
c5e3aa907426fce5f7dda2f67f6e9feb

SHA1
05a026e79141a612fdd6882e2a3ab9e15d3b7d6d

SHA256
95c0e9ff6ff316f20aa3f151fbbcfa9163acc5c54628ad711bc5049c089e2d24

SHA512
666c08f6cea97996d9dfd8a8d200f3d7f2362767014d695102f2fd5a1e2922987a1ec2359b7a7d0f6a6407a70a84446c18dacbd0f0b6f7a779176ffb636d15da

Download Submit
C:\Users\Admin\AppData\Local\logsxc\cookies_Google.txt

Filesize
259B

MD5
9ecdc35931fce5dbafcd776ae6f83767

SHA1
7f3e5aee4cf1aeab7f461fa031783d5d47dc1869

SHA256
3c4065cc757b362d99eaee6c471230e508a3f6ae8892008750ee421a1919d770

SHA512
54dadd19670308ff983ae0259cf05c4f4ce136be14edd710d9757a91a2bfc8b3d7cf7c9c39d215c3fb310b6eafdd58d00fd2fdf0dd5dd401d148ab6e43eaf524

Download Submit
C:\Users\Admin\AppData\Local\logsxc\info.txt

Filesize
332B

MD5
af4ef06b14d449c0617e565f43adcccc

SHA1
b6abd8c514e63c954cb5a24dcc329b3d57c7717b

SHA256
d718d3f46d79f858fab1028d390be017f93973270864979a797bf4a04e8b9a4c

SHA512
ce42985ccb8e172149177623709ee26701e935507515875d7006cb864b76285c60af6f268062cb079d0d2adce8ca9bcffdcb2f49bc701726b7d3cc0b6e790dda

Download Submit
C:\Users\Admin\AppData\Local\logsxc\passwords_Google.txt

Filesize
2B

MD5
e1c06d85ae7b8b032bef47e42e4c08f9

SHA1
71853c6197a6a7f222db0f1978c7cb232b87c5ee

SHA256
75a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070

SHA512
016ba8c4cfde65af99cb5fa8b8a37e2eb73f481b3ae34991666df2e04feb6c038666ebd1ec2b6f623967756033c702dde5f423f7d47ab6ed1827ff53783731f7

Download Submit
C:\Users\Admin\AppData\Local\logsxc\screen-1.png

Filesize
296KB

MD5
7b7778aa8ebb09809b9dc829405b4ddb

SHA1
ca766fe31c4bbf970fcf91916703d073253c61d5

SHA256
a077325211d69f2baf13cf1e684d171556360f55f87b5d12c670d4b2ee1b06e0

SHA512
44e587a5cab1cf122814b9f85b8996bf54a7e0ff445b649ef7a9ed77db695c6b97a1247040bf9fa51a0ebfc7baef9591e161b32a92f29d8f11e28c7c14ae9e0c

Download Submit
C:\Users\Admin\Desktop\BLTools v2.9 [PRO]\BLTools v2.9 [PRO].exe

Filesize
7.1MB

MD5
bef86c9792f7f8bc658ca1d1bce63c60

SHA1
d7d3fe3ae1e950cd4192d46a0bf6505ec3858689

SHA256
2ebfc2838c33ff2fc3547369bf0e8bcdfe41c245ede9241602f44afbf7c3cfdb

SHA512
6ec05fa9bd6ab5c8f1aaa323c81d9f8ae5905a9dba4c511a57c473f568fa551115442ac325547beaecb5c9813446689be37e0485a8fa78f03bf9e82386a93de7

Download Submit
memory/4404-450-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp

Filesize
14.8MB

Download
memory/4468-444-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp

Filesize
14.8MB

Download
memory/4468-443-0x00007FF6E9CE0000-0x00007FF6EA054000-memory.dmp

Filesize
3.5MB

Download
memory/4468-403-0x00007FF6E98A0000-0x00007FF6EA772000-memory.dmp

Filesize
14.8MB

Download
memory/4468-397-0x00007FFCBCD70000-0x00007FFCBCD72000-memory.dmp

Filesize
8KB

Download
memory/4468-398-0x00007FFCBCD80000-0x00007FFCBCD82000-memory.dmp

Filesize
8KB

Download
memory/4468-396-0x00007FF6E9CE0000-0x00007FF6EA054000-memory.dmp

Filesize
3.5MB

Download