Malware Analysis Report

2025-01-22 12:57

Sample ID 241227-q8fsqawmaq
Target 7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.zip
SHA256 77737acf7b607545af8db683f21880bdd1a79c5c17e25a8669a51987586ba7ee
Tags
lucastealer credential_access spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

77737acf7b607545af8db683f21880bdd1a79c5c17e25a8669a51987586ba7ee

Threat Level: Known bad

The file 7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.zip was found to be: Known bad.

Malicious Activity Summary

lucastealer credential_access spyware stealer

Luca Stealer

Lucastealer family

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates connected drives

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 13:55

Reported

2024-12-27 13:58

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 13:55

Reported

2024-12-27 13:58

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe"

Signatures

Luca Stealer

stealer lucastealer

Lucastealer family

lucastealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe

"C:\Users\Admin\AppData\Local\Temp\7dbdb73c15410a9d439f49aa0cca0a65c9b5ff8660774892099effa546e943bd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.myip.ch udp
CH 62.2.148.19:80 www.myip.ch tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
CH 62.2.148.19:80 www.myip.ch tcp
N/A 127.0.0.1:52236 tcp
N/A 127.0.0.1:52244 tcp
US 8.8.8.8:53 19.148.2.62.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:52258 tcp
CH 62.2.148.19:80 www.myip.ch tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp

Files

N/A