lucastealer | 96509da4c19a7242e73ae867aace3f6896d566073f893b4fc96d7f0932b31657[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

96509da4c19a7242e73ae867aace3f6896d566073f893b4fc96d7f0932b31657.zip
Size

2.6MB
MD5

b2400d6ad5da4c1c1ba4e32d29d819bf
SHA1

e6d916ca7bdca3c5b9f1991a0717096df03691e3
SHA256

c677da375b82c92e20bef56e12b54b860352be22f0b17e254ed9e2d0f5012f64
SHA512

818cfed25bb9dfd46102edba8bf8a3837f34496dcdf063e6d046cbb4714c07879555c082c127bbd2ee37573574199800c0bd36b463fe489bcb18faedd657f2da
SSDEEP

49152:Vj0HxgR3Fx+Ge18tpkpedIz+XVc0wvGzkssTEUkKvYqxW+O9UtynMgbJB5Vh8:KRO3Fx+50Ie4QW0Ut5wpKAq4+O9UMR3S

Score

10^/10

lucastealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot5445127247:AAG4B4j8lqlaY8ZmuKVv8PhTM8fpz0VhAaM

Signatures

Lucastealer family
lucastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/96509da4c19a7242e73ae867aace3f6896d566073f893b4fc96d7f0932b31657

Files

96509da4c19a7242e73ae867aace3f6896d566073f893b4fc96d7f0932b31657.zip
.zip

Password: infected
96509da4c19a7242e73ae867aace3f6896d566073f893b4fc96d7f0932b31657
.exe windows:6 windows x64 arch:x64

Password: infected

4b1dec4e8779e2c7ad6ce92c84b5c9ac

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

secur32

LsaFreeReturnBuffer
LsaGetLogonSessionData
LsaEnumerateLogonSessions

kernel32

SetFileCompletionNotificationModes
GetSystemInfo
WakeConditionVariable
GetFileInformationByHandle
GetModuleHandleA
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
GetCurrentProcess
ReleaseMutex
GetEnvironmentVariableW
RtlLookupFunctionEntry
FormatMessageW
GetTempPathW
CreateFileW
DeviceIoControl
GetFullPathNameW
SetFilePointerEx
FindNextFileW
CreateDirectoryW
SetHandleInformation
CreateThread
ExitProcess
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
AcquireSRWLockShared
FindClose
FindFirstFileW
CopyFileExW
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
LocalFree
ReadProcessMemory
VirtualQueryEx
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
OpenProcess
GlobalMemoryStatusEx
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
GetQueuedCompletionStatusEx
GetTickCount
Sleep
MultiByteToWideChar
WideCharToMultiByte
MoveFileExA
GetEnvironmentVariableA
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
RtlVirtualUnwind
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
GetCurrentThreadId
TerminateProcess
TryAcquireSRWLockExclusive
GetFinalPathNameByHandleW
SleepConditionVariableSRW
GetModuleHandleW
HeapReAlloc
HeapFree
GetProcessHeap
HeapAlloc
SetLastError
GetCurrentThread
SetThreadStackGuarantee
AddVectoredExceptionHandler
DeleteFileW
SetFileInformationByHandle
GetFileInformationByHandleEx
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateIoCompletionPort
FreeLibrary
GetProcAddress
LoadLibraryExW
GetComputerNameExW
GetLogicalDrives
GetTickCount64
GetUserPreferredUILanguages
WakeAllConditionVariable
GetLastError
ReleaseSRWLockShared
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SwitchToThread
CloseHandle
IsProcessorFeaturePresent
InitializeSListHead
IsDebuggerPresent
GetSystemDirectoryA

advapi32

RegOpenKeyExW
SystemFunction036
OpenProcessToken
GetTokenInformation
LookupAccountSidW
GetUserNameW
CryptAcquireContextA
CryptReleaseContext
CryptGetHashParam
CryptGenRandom
CryptCreateHash
CryptHashData
CryptDestroyHash
RegQueryValueExW

ws2_32

getsockopt
WSACleanup
WSAStartup
freeaddrinfo
getaddrinfo
setsockopt
WSASocketW
bind
recvfrom
WSAGetLastError
getpeername
connect
WSAIoctl
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
WSAResetEvent
closesocket
ioctlsocket
WSACloseEvent
WSARecv
WSAWaitForMultipleEvents
htons
ntohs
socket
WSASetLastError
__WSAFDIsSet
accept
htonl
listen
select
shutdown
recv
send
getsockname
WSASend

crypt32

CryptQueryObject
CertFreeCertificateChain
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CertGetNameStringA
CertFindExtension
CertAddCertificateContextToStore
CryptDecodeObjectEx
PFXImportCertStore
CryptStringToBinaryA
CertFindCertificateInStore
CertCloseStore
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertEnumCertificatesInStore
CertOpenStore
CertGetCertificateChain
CertDuplicateCertificateContext
CryptUnprotectData

ntdll

NtCancelIoFileEx
NtQuerySystemInformation
NtCreateFile
NtDeviceIoControlFile
RtlGetVersion
RtlNtStatusToDosError
NtQueryInformationProcess

oleaut32

SafeArrayGetLBound
SafeArrayUnaccessData
SafeArrayGetUBound
SafeArrayAccessData
VariantClear
SysAllocString
SysFreeString
SysAllocStringLen

pdh

PdhCollectQueryData
PdhCloseQuery
PdhGetFormattedCounterValue
PdhRemoveCounter
PdhOpenQueryA
PdhAddEnglishCounterW

iphlpapi

GetIfTable2
GetIfEntry2
FreeMibTable

netapi32

NetUserGetLocalGroups
NetUserEnum
NetApiBufferFree

user32

EnumDisplaySettingsExW
EnumDisplayMonitors
GetMonitorInfoW

gdi32

GetObjectW
GetDIBits
StretchBlt
SetStretchBltMode
DeleteObject
CreateDCW
DeleteDC
CreateCompatibleBitmap
CreateCompatibleDC
SelectObject
GetDeviceCaps

shell32

CommandLineToArgvW
SHGetKnownFolderPath

ole32

CoUninitialize
CoTaskMemFree
CoInitializeEx
CoSetProxyBlanket
CoInitializeSecurity
CoCreateInstance

bcrypt

BCryptGenRandom

powrprof

CallNtPowerInformation

psapi

GetPerformanceInfo
GetModuleFileNameExW
EnumProcessModulesEx

vcruntime140

memchr
strstr
strchr
memcmp
memmove
__CxxFrameHandler3
memset
memcpy
__current_exception
__current_exception_context
__C_specific_handler
strrchr

api-ms-win-crt-string-l1-1-0

strncpy
wcslen
strcpy
strlen
tolower
strncmp
_strdup
strcspn
strpbrk
strspn
isupper
strcmp

api-ms-win-crt-heap-l1-1-0

calloc
malloc
free
realloc
_msize
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

_cexit
__p___argv
__p___argc
__sys_nerr
_exit
exit
_initterm_e
_initterm
_c_exit
_initialize_narrow_environment
_configure_narrow_argv
_register_thread_local_exe_atexit_callback
_set_app_type
_seh_filter_exe
_endthreadex
_register_onexit_function
__sys_errlist
_crt_atexit
_wassert
abort
_errno
_get_initial_narrow_environment
_initialize_onexit_table
terminate
_beginthreadex

api-ms-win-crt-convert-l1-1-0

atoi
strtoul
strtoll
strtol
wcstombs

api-ms-win-crt-stdio-l1-1-0

_lseeki64
fputc
ftell
feof
_read
_write
_open
_close
__stdio_common_vsprintf
fopen
_set_fmode
__p__commode
__acrt_iob_func
fread
fwrite
fseek
fgets
fclose
fputs
__stdio_common_vsscanf
fflush

api-ms-win-crt-time-l1-1-0

_time64
_localtime64_s
_gmtime64
strftime

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_access
_stat64
_unlink
_fstat64

api-ms-win-crt-math-l1-1-0

log
__setusermatherr
_dclass

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 3.4MB - Virtual size: 3.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 26KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 100KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 110KB - Virtual size: 110KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 39KB - Virtual size: 39KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

4b1dec4e8779e2c7ad6ce92c84b5c9ac

Headers

DLL Characteristics

File Characteristics

Imports

secur32

kernel32

advapi32

ws2_32

crypt32

ntdll

oleaut32

pdh

iphlpapi

netapi32

user32

gdi32

shell32

ole32

bcrypt

powrprof

psapi

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 3.4MB - Virtual size: 3.4MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 26KB - Virtual size: 30KB

.pdata Size: 100KB - Virtual size: 100KB

.rsrc Size: 110KB - Virtual size: 110KB

.reloc Size: 39KB - Virtual size: 39KB

.text
Size: 3.4MB - Virtual size: 3.4MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 26KB - Virtual size: 30KB

.pdata
Size: 100KB - Virtual size: 100KB

.rsrc
Size: 110KB - Virtual size: 110KB

.reloc
Size: 39KB - Virtual size: 39KB