lucastealer | 3c929d7c2dfe5638f93422aa26f6b6ef06624d0f8daa49887db9aac351d7b9d4

General

Target

Cryptor.rar
Size

2.4MB
MD5

ef9f68af5f34a034d845dad9bdd07ea0
SHA1

3b49d6f588c159edd24f9141d9022e7b48c4ca40
SHA256

3c929d7c2dfe5638f93422aa26f6b6ef06624d0f8daa49887db9aac351d7b9d4
SHA512

22055cb369163c9d2f568597cdfec0d6e966f7c570ee8d7317c51a557cc82359dc20e0eb6db7a75be358fdec7bb3b13e7a18ddc572da962dc9fcf31197898531
SSDEEP

49152:TBYnZhZAnf0ELHn8173pGCxrdqO+MuM4x+OBx4grZO1qiWbvPvQIaa2NQ:dYnZkMqctpRxrdq7Q4trXO1M7Q42NQ

Score

10^/10

lucastealer credential_access execution spyware stealer upx

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/1720-32-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	family_lucastealer
behavioral1/memory/3912-62-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	family_lucastealer

Lucastealer family
lucastealer

Executes dropped EXE 2 IoCs

pid	Process
1720	Cryptor.exe
3912	Cryptor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000460e5-5.dat	upx
behavioral1/memory/1720-6-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	upx
behavioral1/memory/1720-32-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	upx
behavioral1/memory/3912-34-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	upx
behavioral1/memory/3912-62-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1396	powershell.exe
1292	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1396	powershell.exe
1396	powershell.exe
1292	powershell.exe
1292	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4052	7zFM.exe
Token: 35	4052	7zFM.exe
Token: SeSecurityPrivilege	4052	7zFM.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4052	7zFM.exe
4052	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1396	1720	Cryptor.exe	92
PID 1720 wrote to memory of 1396	1720	Cryptor.exe	92
PID 3912 wrote to memory of 1292	3912	Cryptor.exe	98
PID 3912 wrote to memory of 1292	3912	Cryptor.exe	98

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cryptor.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Users\Admin\Desktop\Cryptor\Cryptor.exe
"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396

C:\Users\Admin\Desktop\Cryptor\Cryptor.exe
"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe" C:\Users\Admin\Desktop\Cryptor\Client-built.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
82f4c2ce7d9fb1714ec9b06631f0918d

SHA1
e478fe32dfd808710fafb4d6f133c3407a3785af

SHA256
b1adc5a78a6738a79ef24c29995d264b530fd90404be9bdf234a276052ac6725

SHA512
4a9ba37946ac4de4993f8793b0018c0e5100cfa62e141bd8a62c4ee14419a963f1bca88d66d2316d857afe2e70168eb16c2f73eec3d19c2a4a9f4c3bdbfe9498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abb7b6fba8cbdcba40db2056955cc206

SHA1
456f4a46b019a71a086225fb1dc52229fbd3effd

SHA256
4c7d520ae2c83ed9b3f190ea62bd99a2063d4a1a85293caca12562dee265ac7c

SHA512
fb29412580cbd07b99d6e328db9f6d991e6997adb2180929ef4833c6035df43dbac47bf4cc7c4499c6b95bb71c9561cdccc2d857fa638f325325655afd3a52e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgzyeir3.hyl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fEvu4xLkb6uKUbRQt8RLiyslNWf8se\user_info.txt

Filesize
589B

MD5
292f271780eb6fef5c0befdb6f2be912

SHA1
e489f8f862213dbcd31e74f9142f4b9480dca757

SHA256
4ce4ce91124e321c9de4a308ed55598af3212aa53412d08d1a5262664c647c6b

SHA512
37ef595a954f8065164b08bdc67f7661cbec88b58b17f400e29ccb03626348c69f0bd54181aa23a0f1a0cf79192ea296a1331825b92d578a4eb837d01a4cd12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\out.zip

Filesize
5.8MB

MD5
f0ef5e9c625ecdf89c54af870e4022e4

SHA1
c6c50555011c73ac580b9a28413692e80975b1d2

SHA256
13a9783a48c17175cbfcfbbecd222534b4ec605a2669b25a5807e43946809539

SHA512
4d0731b3fc0eabe8f7aa6565c0f396204fcd865e45c4fade9ae1c5240acc34e3c759a442a6e9d872558f45438f9fcf208a43f4ffa6e8d4a8f405f6c867c96c0b

Download Submit
C:\Users\Admin\Desktop\Cryptor\Cryptor.exe

Filesize
1.4MB

MD5
be8d7f63ae91ef58a4853e9c5de5a5ff

SHA1
939236b40db18617f1dc9c603d50338f1145fdf7

SHA256
8f992b2af11e47c2bb264da9ee9089a90b9aa3566513d8e9128a4d0972d99724

SHA512
bfac67fd683ef0dc433c42cfce0066933344f728fe93b4cc9aeec30af27402f959534fb04fd5ca0fc2e4bfa87732091368b96b3340730c210dae6e480d0c1262

Download Submit
memory/1396-16-0x00000295341B0000-0x00000295341D2000-memory.dmp

Filesize
136KB

Download
memory/1720-6-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

Filesize
3.1MB

Download
memory/1720-32-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

Filesize
3.1MB

Download
memory/3912-34-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

Filesize
3.1MB

Download
memory/3912-62-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing