lucastealer | 6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.zip
Size

3.0MB
MD5

3b08d741dd94c71484d3f5b195afb808
SHA1

a588b0c0fd96aafb2b7672ba723b5097c8259484
SHA256

8dd2cdf040b50cc04a10861b61c2e74139974df405344bfe833d83798dd4ea54
SHA512

1acfb80e5698ba2e567d56fc75899b831c51e18001947dc678204e28dc029f1eef2219319d5d2c154fdf7a4b012daef77c3bc13a94346fed05efa38b4200250c
SSDEEP

49152:bX4zWcDcyOO2/Z0AbVTSRQVAJHDvmCwfeptgvlSOzQPyIHD/xx9N1xJ7XIyd6:bXpcDcqPHQVIDv5/olSTyI9xn3JLjk

Score

10^/10

lucastealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot5407817511:AAFZnZK5IkmmwWaj3vmtXlZX8y7VlT59v6Q

Signatures

Lucastealer family
lucastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7

Files

6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.zip
.zip

Password: infected
6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7
.exe windows:6 windows x64 arch:x64

Password: infected

8165cdb35d04e3fd8f82e179f08008b5

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

secur32

DecryptMessage
QueryContextAttributesW
ApplyControlToken
AcquireCredentialsHandleA
AcceptSecurityContext
EncryptMessage
FreeCredentialsHandle
DeleteSecurityContext
FreeContextBuffer
LsaFreeReturnBuffer
LsaGetLogonSessionData
InitializeSecurityContextW
LsaEnumerateLogonSessions

kernel32

Sleep
MultiByteToWideChar
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
GetSystemInfo
GetUserPreferredUILanguages
GetTickCount64
GetLogicalDrives
GetComputerNameExW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetFileInformationByHandleEx
SetFileInformationByHandle
GetModuleFileNameA
AddVectoredExceptionHandler
SetThreadStackGuarantee
GetCurrentThread
SetLastError
GlobalSize
WideCharToMultiByte
SleepConditionVariableSRW
WakeAllConditionVariable
GetModuleHandleW
HeapAlloc
GetProcessHeap
SwitchToThread
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
WakeConditionVariable
AcquireSRWLockShared
ReleaseSRWLockShared
GetFileInformationByHandle
GetCurrentProcess
DuplicateHandle
GetModuleHandleA
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
ReleaseMutex
GetEnvironmentVariableW
RtlLookupFunctionEntry
FormatMessageW
GetTempPathW
GetModuleFileNameW
CreateFileW
DeviceIoControl
GetFullPathNameW
SetFilePointerEx
GetFinalPathNameByHandleW
FindNextFileW
CreateDirectoryW
SetHandleInformation
GetEnvironmentStringsW
FreeEnvironmentStringsW
CompareStringOrdinal
GetSystemDirectoryW
GetFileAttributesW
GetWindowsDirectoryW
CreateProcessW
HeapReAlloc
CreateNamedPipeW
CreateThread
ReadFileEx
SleepEx
WriteFileEx
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
FindFirstFileW
CopyFileExW
OpenProcess
ReadProcessMemory
GetProcessTimes
VirtualQueryEx
GetSystemTimes
GetProcessIoCounters
LocalFree
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
GetSystemDirectoryA
GetTickCount
MoveFileExA
GetEnvironmentVariableA
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
RtlVirtualUnwind
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetDiskFreeSpaceW
WriteFile
HeapCreate
AreFileApisANSI
InitializeCriticalSection
TryEnterCriticalSection
GetCurrentThreadId
FindClose
InitializeSListHead
IsProcessorFeaturePresent
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
ReleaseSRWLockExclusive
CloseHandle
AcquireSRWLockExclusive
HeapFree
IsDebuggerPresent
GetLastError
GetCurrentProcessId

ntdll

NtDeviceIoControlFile
RtlNtStatusToDosError
NtCancelIoFileEx
NtQueryInformationProcess
RtlGetVersion
NtQuerySystemInformation
NtCreateFile

advapi32

RegQueryValueExW
FreeSid
CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
GetUserNameW
LookupAccountSidW
GetTokenInformation
OpenProcessToken
CheckTokenMembership
AllocateAndInitializeSid
RegOpenKeyExA
RegSetValueExA
RegCloseKey
SystemFunction036
RegOpenKeyExW

oleaut32

SysAllocString
VariantClear
SysFreeString
SafeArrayAccessData
SafeArrayGetUBound
SafeArrayGetLBound
SafeArrayUnaccessData
SysAllocStringLen

pdh

PdhAddEnglishCounterW
PdhOpenQueryA
PdhGetFormattedCounterValue
PdhCloseQuery
PdhRemoveCounter
PdhCollectQueryData

crypt32

CertFindExtension
CertEnumCertificatesInStore
CertDuplicateStore
CryptDecodeObjectEx
CertCreateCertificateChainEngine
CryptStringToBinaryA
CertGetNameStringA
CertAddCertificateContextToStore
CertDuplicateCertificateChain
CertFindCertificateInStore
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
PFXImportCertStore
CertDuplicateCertificateContext
CryptUnprotectData
CertCloseStore
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertOpenStore
CertFreeCertificateChainEngine
CryptQueryObject

user32

CloseClipboard
OpenClipboard
EnumDisplaySettingsExW
GetClipboardData
GetMonitorInfoW
EmptyClipboard
SetClipboardData
EnumDisplayMonitors

ole32

CoInitializeEx
CoCreateInstance
CoUninitialize
CoSetProxyBlanket
CoInitializeSecurity

iphlpapi

FreeMibTable
GetIfEntry2
GetIfTable2

netapi32

NetApiBufferFree
NetUserEnum
NetUserGetLocalGroups

gdi32

GetObjectW
CreateCompatibleDC
SetStretchBltMode
GetDIBits
DeleteDC
SelectObject
GetDeviceCaps
CreateDCW
DeleteObject
CreateCompatibleBitmap
StretchBlt

bcrypt

BCryptGenRandom

ws2_32

WSAResetEvent
WSAEventSelect
WSAEnumNetworkEvents
WSACreateEvent
WSACloseEvent
select
shutdown
htons
ntohs
recv
socket
getsockname
WSASend
WSARecv
getsockopt
WSACleanup
WSAStartup
freeaddrinfo
getaddrinfo
setsockopt
WSASocketW
bind
connect
ioctlsocket
WSAIoctl
closesocket
recvfrom
WSAGetLastError
WSASetLastError
__WSAFDIsSet
accept
htonl
listen
WSAWaitForMultipleEvents
send
getpeername

shell32

CommandLineToArgvW

powrprof

CallNtPowerInformation

psapi

EnumProcessModulesEx
GetPerformanceInfo
GetModuleFileNameExW

vcruntime140

strstr
memmove
memcmp
memchr
memcpy
__C_specific_handler
__current_exception
__current_exception_context
strchr
__CxxFrameHandler3
strrchr
memset

api-ms-win-crt-string-l1-1-0

strncmp
tolower
_strdup
wcslen
strcmp
strcpy
strcspn
strspn
strpbrk
strncpy
isupper
strlen

api-ms-win-crt-heap-l1-1-0

realloc
calloc
malloc
free
_msize
_set_new_mode

api-ms-win-crt-runtime-l1-1-0

abort
_endthreadex
_seh_filter_exe
_set_app_type
_beginthreadex
_configure_narrow_argv
_initialize_narrow_environment
_get_initial_narrow_environment
__sys_nerr
_initterm
__sys_errlist
exit
_exit
_wassert
__p___argc
terminate
_crt_atexit
_register_onexit_function
_initialize_onexit_table
__p___argv
_cexit
_c_exit
_register_thread_local_exe_atexit_callback
_errno
_initterm_e

api-ms-win-crt-convert-l1-1-0

wcstombs
strtoll
strtol
strtoul
atoi

api-ms-win-crt-stdio-l1-1-0

fwrite
fseek
fopen
__acrt_iob_func
fflush
__p__commode
__stdio_common_vsprintf
ftell
_lseeki64
fputc
_write
feof
fgets
fclose
_open
fputs
_set_fmode
_read
fread
_close
__stdio_common_vsscanf

api-ms-win-crt-time-l1-1-0

_gmtime64
_time64
_localtime64_s
strftime

api-ms-win-crt-utility-l1-1-0

qsort

api-ms-win-crt-filesystem-l1-1-0

_unlink
_fstat64
_access
_stat64

api-ms-win-crt-math-l1-1-0

__setusermatherr
log
_dclass

api-ms-win-crt-locale-l1-1-0

_configthreadlocale

Sections

.text
Size: 4.2MB - Virtual size: 4.2MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.6MB - Virtual size: 1.6MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 101KB - Virtual size: 100KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 42KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

8165cdb35d04e3fd8f82e179f08008b5

Headers

DLL Characteristics

File Characteristics

Imports

secur32

kernel32

ntdll

advapi32

oleaut32

pdh

crypt32

user32

ole32

iphlpapi

netapi32

gdi32

bcrypt

ws2_32

shell32

powrprof

psapi

vcruntime140

api-ms-win-crt-string-l1-1-0

api-ms-win-crt-heap-l1-1-0

api-ms-win-crt-runtime-l1-1-0

api-ms-win-crt-convert-l1-1-0

api-ms-win-crt-stdio-l1-1-0

api-ms-win-crt-time-l1-1-0

api-ms-win-crt-utility-l1-1-0

api-ms-win-crt-filesystem-l1-1-0

api-ms-win-crt-math-l1-1-0

api-ms-win-crt-locale-l1-1-0

Sections

.text Size: 4.2MB - Virtual size: 4.2MB

.rdata Size: 1.6MB - Virtual size: 1.6MB

.data Size: 28KB - Virtual size: 31KB

.pdata Size: 101KB - Virtual size: 100KB

.reloc Size: 42KB - Virtual size: 42KB

.text
Size: 4.2MB - Virtual size: 4.2MB

.rdata
Size: 1.6MB - Virtual size: 1.6MB

.data
Size: 28KB - Virtual size: 31KB

.pdata
Size: 101KB - Virtual size: 100KB

.reloc
Size: 42KB - Virtual size: 42KB