Malware Analysis Report

2025-01-22 12:57

Sample ID 241228-f4jzgawlet
Target Cryptor.rar
SHA256 3c929d7c2dfe5638f93422aa26f6b6ef06624d0f8daa49887db9aac351d7b9d4
Tags
office04 upx quasar lucastealer credential_access execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c929d7c2dfe5638f93422aa26f6b6ef06624d0f8daa49887db9aac351d7b9d4

Threat Level: Known bad

The file Cryptor.rar was found to be: Known bad.

Malicious Activity Summary

office04 upx quasar lucastealer credential_access execution spyware stealer

Luca Stealer

Quasar family

Luca Stealer payload

Lucastealer family

Quasar payload

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

UPX packed file

Command and Scripting Interpreter: PowerShell

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-28 05:25

Signatures

Luca Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Lucastealer family

lucastealer

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-28 05:25

Reported

2024-12-28 05:26

Platform

win10ltsc2021-20241211-en

Max time kernel

31s

Max time network

32s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cryptor.rar"

Signatures

Luca Stealer

stealer lucastealer

Luca Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lucastealer family

lucastealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Cryptor\Cryptor.exe N/A
N/A N/A C:\Users\Admin\Desktop\Cryptor\Cryptor.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Cryptor.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Cryptor\Cryptor.exe

"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"

C:\Users\Admin\Desktop\Cryptor\Cryptor.exe

"C:\Users\Admin\Desktop\Cryptor\Cryptor.exe" C:\Users\Admin\Desktop\Cryptor\Client-built.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
DE 195.201.57.90:443 ipwho.is tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
FR 20.74.47.205:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Cryptor\Cryptor.exe

MD5 be8d7f63ae91ef58a4853e9c5de5a5ff
SHA1 939236b40db18617f1dc9c603d50338f1145fdf7
SHA256 8f992b2af11e47c2bb264da9ee9089a90b9aa3566513d8e9128a4d0972d99724
SHA512 bfac67fd683ef0dc433c42cfce0066933344f728fe93b4cc9aeec30af27402f959534fb04fd5ca0fc2e4bfa87732091368b96b3340730c210dae6e480d0c1262

memory/1720-6-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zgzyeir3.hyl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1396-16-0x00000295341B0000-0x00000295341D2000-memory.dmp

memory/1720-32-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

memory/3912-34-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 82f4c2ce7d9fb1714ec9b06631f0918d
SHA1 e478fe32dfd808710fafb4d6f133c3407a3785af
SHA256 b1adc5a78a6738a79ef24c29995d264b530fd90404be9bdf234a276052ac6725
SHA512 4a9ba37946ac4de4993f8793b0018c0e5100cfa62e141bd8a62c4ee14419a963f1bca88d66d2316d857afe2e70168eb16c2f73eec3d19c2a4a9f4c3bdbfe9498

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abb7b6fba8cbdcba40db2056955cc206
SHA1 456f4a46b019a71a086225fb1dc52229fbd3effd
SHA256 4c7d520ae2c83ed9b3f190ea62bd99a2063d4a1a85293caca12562dee265ac7c
SHA512 fb29412580cbd07b99d6e328db9f6d991e6997adb2180929ef4833c6035df43dbac47bf4cc7c4499c6b95bb71c9561cdccc2d857fa638f325325655afd3a52e5

C:\Users\Admin\AppData\Local\Temp\sensfiles.zip

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\fEvu4xLkb6uKUbRQt8RLiyslNWf8se\user_info.txt

MD5 292f271780eb6fef5c0befdb6f2be912
SHA1 e489f8f862213dbcd31e74f9142f4b9480dca757
SHA256 4ce4ce91124e321c9de4a308ed55598af3212aa53412d08d1a5262664c647c6b
SHA512 37ef595a954f8065164b08bdc67f7661cbec88b58b17f400e29ccb03626348c69f0bd54181aa23a0f1a0cf79192ea296a1331825b92d578a4eb837d01a4cd12a

C:\Users\Admin\AppData\Local\Temp\out.zip

MD5 f0ef5e9c625ecdf89c54af870e4022e4
SHA1 c6c50555011c73ac580b9a28413692e80975b1d2
SHA256 13a9783a48c17175cbfcfbbecd222534b4ec605a2669b25a5807e43946809539
SHA512 4d0731b3fc0eabe8f7aa6565c0f396204fcd865e45c4fade9ae1c5240acc34e3c759a442a6e9d872558f45438f9fcf208a43f4ffa6e8d4a8f405f6c867c96c0b

memory/3912-62-0x00007FF75D990000-0x00007FF75DCAC000-memory.dmp