lucastealer | 989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944.zip
Size

1.6MB
MD5

397d1eeed1b3cef9f3fc05c25a4d070d
SHA1

cba79697df168939fac3056fcd3924329ce04e04
SHA256

ff9c2ad53217ff19274a9e34a74357102890857ce698a5c66c3cce2d0cc6cd23
SHA512

5bae24121d0e8111634ad5e8813b1ab28731792105862204c0507717adf4866248cf4c7e7e5d5a5ad74bdc6778cfab113acf6ff2f469f454db950a1c7153d375
SSDEEP

49152:0AEIsWfodv412VdXXxw6VF5gvXo2yl/hKfgpcqG85w:0AEWwE6BdLiXZyl/EopcuW

Score

10^/10

lucastealer

Malware Config

Signatures

Luca Stealer payload 1 IoCs

resource	yara_rule
static1/unpack001/989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944	family_lucastealer

Lucastealer family
lucastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944

Files

989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944.zip
.zip

Password: infected
989af492fa898868e67636bf47e06a7c5864f31849fc3b3a07b07e7a3a62d944
.exe windows:6 windows x64 arch:x64

Password: infected

9ee638580f9771af3dc4c446e1a6db71

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

rust_stealer_xss.pdb

Imports

api-ms-win-core-synch-l1-2-0

WakeByAddressSingle
WakeByAddressAll
WaitOnAddress

bcryptprimitives

ProcessPrng

kernel32

FormatMessageW
lstrlenW
GetEnvironmentVariableW
GetTempPathW
GetModuleFileNameW
CreateFileW
SetFileInformationByHandle
GetFileInformationByHandleEx
GetFullPathNameW
SetFilePointerEx
FindNextFileW
CreateDirectoryW
FindFirstFileW
QueryPerformanceFrequency
GetTimeZoneInformation
SystemTimeToFileTime
SystemTimeToTzSpecificLocalTime
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetWindowsDirectoryW
CreateProcessW
GetFileAttributesW
GetCurrentProcess
DuplicateHandle
InitializeProcThreadAttributeList
UpdateProcThreadAttribute
DeleteProcThreadAttributeList
GetCurrentProcessId
CreateNamedPipeW
CreateThread
WriteFileEx
SleepEx
ReadFileEx
CreateEventW
CancelIo
ReadFile
QueryPerformanceCounter
HeapAlloc
GetProcessHeap
GetCurrentDirectoryW
RtlCaptureContext
RtlLookupFunctionEntry
GetProcAddress
LoadLibraryA
CreateMutexA
ReleaseMutex
RtlVirtualUnwind
WideCharToMultiByte
CopyFileExW
PostQueuedCompletionStatus
FileTimeToSystemTime
GetSystemTimeAsFileTime
GetModuleHandleA
WriteConsoleW
MultiByteToWideChar
UnhandledExceptionFilter
GetExitCodeProcess
WaitForSingleObject
GetConsoleMode
GetStdHandle
AddVectoredExceptionHandler
FlushFileBuffers
GetTickCount
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
FreeLibrary
GetFileSize
LockFileEx
LocalFree
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
CreateFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
Sleep
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
TryEnterCriticalSection
DeleteCriticalSection
GetCurrentThreadId
SetThreadStackGuarantee
SetHandleInformation
GetCurrentThread
SetUnhandledExceptionFilter
TerminateProcess
GetOverlappedResult
GetModuleHandleW
GetFileInformationByHandle
SwitchToThread
SetLastError
GetFinalPathNameByHandleW
WaitForMultipleObjects
GetSystemInfo
GetSystemTimePreciseAsFileTime
GetLastError
GetQueuedCompletionStatusEx
FindClose
CloseHandle
HeapFree
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
HeapReAlloc
CreateIoCompletionPort
SetFileCompletionNotificationModes
WaitForSingleObjectEx

oleaut32

SafeArrayGetUBound
SafeArrayAccessData
SysAllocStringLen
SafeArrayDestroy
VariantClear
SysFreeString
SafeArrayUnaccessData
SafeArrayGetLBound

crypt32

CertCloseStore
CertDuplicateCertificateChain
CertAddCertificateContextToStore
CertEnumCertificatesInStore
CertOpenStore
CryptUnprotectData
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertDuplicateCertificateContext
CertDuplicateStore
CertFreeCertificateContext

ole32

CoInitializeSecurity
CoInitializeEx
CoCreateInstance
CoSetProxyBlanket

advapi32

CheckTokenMembership
RegCloseKey
FreeSid
RegOpenKeyExW
RegQueryValueExW
AllocateAndInitializeSid

user32

EnumDisplayMonitors
EnumDisplaySettingsExW
GetMonitorInfoW

gdi32

DeleteObject
CreateCompatibleDC
CreateCompatibleBitmap
SelectObject
SetStretchBltMode
StretchBlt
CreateDCW
GetDeviceCaps
DeleteDC
GetDIBits
GetObjectW

ntdll

RtlNtStatusToDosError
NtDeviceIoControlFile
NtCreateFile
NtWriteFile
NtReadFile
NtCancelIoFileEx

bcrypt

BCryptGenRandom

ws2_32

getsockopt
closesocket
bind
setsockopt
ioctlsocket
WSAIoctl
freeaddrinfo
connect
getsockname
WSAGetLastError
getpeername
WSASocketW
getaddrinfo
WSASend
WSAStartup
WSACleanup
recv
send
shutdown

secur32

FreeContextBuffer
DeleteSecurityContext
FreeCredentialsHandle
EncryptMessage
AcquireCredentialsHandleA
QueryContextAttributesW
AcceptSecurityContext
InitializeSecurityContextW
DecryptMessage
ApplyControlToken

vcruntime140

memmove
memcmp
memset
__CxxFrameHandler3
strrchr
__current_exception_context
__current_exception
__C_specific_handler
memcpy

api-ms-win-crt-string-l1-1-0

strncmp
strcspn
strcmp
strlen

api-ms-win-crt-heap-l1-1-0

_set_new_mode
realloc
_msize
malloc
free

api-ms-win-crt-utility-l1-1-0

_rotl64
qsort

api-ms-win-crt-time-l1-1-0

_localtime64_s

api-ms-win-crt-math-l1-1-0

log
__setusermatherr
_dclass

api-ms-win-crt-runtime-l1-1-0

_get_initial_narrow_environment
_configure_narrow_argv
_initterm_e
exit
_exit
_set_app_type
_seh_filter_exe
__p___argc
_initialize_narrow_environment
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_endthreadex
_beginthreadex
_initterm
_initialize_onexit_table
_register_onexit_function
_crt_atexit
terminate

api-ms-win-crt-stdio-l1-1-0

__p__commode
_set_fmode

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 2.3MB - Virtual size: 2.3MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 756KB - Virtual size: 755KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 24KB - Virtual size: 27KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 57KB - Virtual size: 56KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 12KB - Virtual size: 11KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

9ee638580f9771af3dc4c446e1a6db71

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

api-ms-win-core-synch-l1-2-0

bcryptprimitives

kernel32

oleaut32

crypt32

ole32

advapi32

user32

gdi32

ntdll

bcrypt

ws2_32

secur32

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 2.3MB - Virtual size: 2.3MB

.rdata Size: 756KB - Virtual size: 755KB

.data Size: 24KB - Virtual size: 27KB

.pdata Size: 57KB - Virtual size: 56KB

.reloc Size: 12KB - Virtual size: 11KB

.text
Size: 2.3MB - Virtual size: 2.3MB

.rdata
Size: 756KB - Virtual size: 755KB

.data
Size: 24KB - Virtual size: 27KB

.pdata
Size: 57KB - Virtual size: 56KB

.reloc
Size: 12KB - Virtual size: 11KB