lucastealer | aafde59bd18e2ea55967da235f68985cbd0e17cd39ae625fd5fae8ce001a4c4b

General

Target

BLTools v2.7.1 [PRO2].zip
Size

13.8MB
Sample

250106-jptrxa1kav
MD5

01952f721e3cebff244c689b5cd24756
SHA1

d77afa2071c5487b0cc39243a75e1aaab082975c
SHA256

aafde59bd18e2ea55967da235f68985cbd0e17cd39ae625fd5fae8ce001a4c4b
SHA512

93259ccbd91be6f62fc1b2b0d818773702a2166835dff67eab33ee27537ed452f38e61dcc6651d328d87011fb38cb243aca99ffdc78fa3b66f19fa48ae75fe53
SSDEEP

196608:DCKyX8k4lfzoILWsniW8lnJ45/9iD54+V11bFv4zmkt/P:Gtskkb1LWsnk+h

Score

10^/10

Malware Config

Extracted

Family

risepro

C2

193.233.254.67:50500

Targets

- Target
  
  BLTools v2.7.1 [PRO2].zip
- Size
  
  13.8MB
- MD5
  
  01952f721e3cebff244c689b5cd24756
- SHA1
  
  d77afa2071c5487b0cc39243a75e1aaab082975c
- SHA256
  
  aafde59bd18e2ea55967da235f68985cbd0e17cd39ae625fd5fae8ce001a4c4b
- SHA512
  
  93259ccbd91be6f62fc1b2b0d818773702a2166835dff67eab33ee27537ed452f38e61dcc6651d328d87011fb38cb243aca99ffdc78fa3b66f19fa48ae75fe53
- SSDEEP
  
  196608:DCKyX8k4lfzoILWsniW8lnJ45/9iD54+V11bFv4zmkt/P:Gtskkb1LWsnk+h
Score

10^/10

lucastealer risepro credential_access defense_evasion discovery motw phishing spyware stealer vmprotect
- Luca Stealer
  Info stealer written in Rust first seen in July 2022.
  stealer lucastealer
- Lucastealer family
  lucastealer
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Risepro family
  risepro
- Downloads MZ/PE file
- A potential corporate email address has been identified in the URL: currency-file@1
  phishing
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1