Malware Analysis Report

2025-03-15 06:05

Sample ID 250224-eevh8s1k17
Target Cryptor.exe
SHA256 94e3972742bf6477c34a0f073d6f4885cf8b58742f16aa8308ebffdf8b25763b
Tags
upx lucastealer credential_access execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94e3972742bf6477c34a0f073d6f4885cf8b58742f16aa8308ebffdf8b25763b

Threat Level: Known bad

The file Cryptor.exe was found to be: Known bad.

Malicious Activity Summary

upx lucastealer credential_access execution spyware stealer

Luca Stealer payload

Luca Stealer

Lucastealer family

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses cryptocurrency files/wallets, possible credential harvesting

UPX packed file

Unsigned PE

Command and Scripting Interpreter: PowerShell

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 03:51

Signatures

Luca Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Lucastealer family

lucastealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 03:51

Reported

2025-02-24 03:52

Platform

win10v2004-20250217-en

Max time kernel

5s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cryptor.exe"

Signatures

Luca Stealer

stealer lucastealer

Luca Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Lucastealer family

lucastealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Cryptor.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 820 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Cryptor.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cryptor.exe

"C:\Users\Admin\AppData\Local\Temp\Cryptor.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp

Files

memory/820-0-0x00007FF6651E0000-0x00007FF6654FC000-memory.dmp

memory/4452-1-0x00007FF8BE803000-0x00007FF8BE805000-memory.dmp

memory/4452-2-0x00007FF8BE800000-0x00007FF8BF2C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4vimmjx4.yr3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4452-3-0x0000026AD3480000-0x0000026AD34A2000-memory.dmp

memory/4452-16-0x00007FF8BE800000-0x00007FF8BF2C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7star_default_login_data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\centbrowser_default_webdata

MD5 b28c7f7cff15a860603a1d6523afb720
SHA1 281af1b07b39c5b75f451d2d86bfd07b42054c39
SHA256 3df169b8995f5d21eefd5f2c1edb3a15f51dcaae38c2d16d1050b3c884c71f14
SHA512 f80e505c77286abb99aa03a3f25510cf0eb092892adb2fb02add9011c85362c8d215cd1225bc73a582f4b149bdedcbb1379ae1d48d320cc535cf20710be89af3

C:\Users\Admin\AppData\Local\Temp\centbrowser_network_cookies

MD5 4999bcdf2cefca409c7a5e0c3bb0ff8c
SHA1 234ae836bc14d48a7ddf14bf9e805e8fe41007f0
SHA256 2bbeb37e45487088edea498fc18a9ca66a7ea05b9347366165dc0ed49d3382be
SHA512 943cb1b046951e2bf9c5f78a70f210cf522399b68c03934a572b0652058b2ce0725c57b6ac1670a2047cd67dd42c5bc7cce10854c1aa9db00ac94a81cb2b522c

C:\Users\Admin\AppData\Local\Temp\centbrowser_default_login_data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\3Xt8iaICh1rD2gD9KC87vDeTZZY7mn\sensfiles.zip

MD5 fd5c1f2cb495b7b1297fdd7b9ced4a5b
SHA1 45c1694ec5dc02f0aad993dc9e1244e7c87e93c6
SHA256 e31306b45fe7358709490e061e55ca8022b786707467671d000ca966cd81de2a
SHA512 7ff077ccfc7c104efa17580cfffaf073c3b5c11e7ff4d1f36ada69373b82d34cdd5fd696ecc16ea42b92725734abb70e3d8d3ae72432355b6fcabc15b1ea0416

memory/820-139-0x00007FF6651E0000-0x00007FF6654FC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 03:51

Reported

2025-02-24 03:52

Platform

win10v2004-20250217-en

Max time kernel

4s

Max time network

5s

Command Line

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\out.exe

"C:\Users\Admin\AppData\Local\Temp\out.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp

Files

N/A