lucastealer | 8dd2cdf040b50cc04a10861b61c2e74139974df405344bfe833d83798dd4ea54

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
Size

6.0MB
MD5

febc63e02763cd676b1446b024639b81
SHA1

23c29ea38ed641f9926193befb1ac1a8c3e7d4e6
SHA256

6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7
SHA512

93a5e23859db3a29e2a34f6709566a79a1cd2b0f0ad7d6bf4efe34dbdd784e520bc06776e1ea00a13ceba95ac1ee2ea38d0eec4abbed4e15d2a334dc36d8a881
SSDEEP

49152:6Y3oQWF4WcPgM4+K2RjJjtE4HAZrGadSZMRPaThP46IPyIcju8HwQKpOlC6Z+Xe:6+5Nri4Uaad5Ml0ojeUEbkJA+Kxh

Score

10^/10

lucastealer credential_access spyware stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Lucastealer family
lucastealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 4064	2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe	92
PID 2148 wrote to memory of 4064	2148	6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe	92
PID 4064 wrote to memory of 4632	4064	cmd.exe	94
PID 4064 wrote to memory of 4632	4064	cmd.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe
"C:\Users\Admin\AppData\Local\Temp\6950eb2bd04f9a5d84adb5ac4f5d78b8a76d2beef553e5d1d54b4388f15061e7.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c "schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TR C:\Users\Admin\AppData\Roaming\svchost.exe /SC ONLOGON /TN RecordArchive /IT
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\en-US-212.102.63.147-[Admin].zip

Filesize
608KB

MD5
00e499214f438318421df71be9a026ae

SHA1
01154a12e52945ecad7f07023a4a747c2c42c6fd

SHA256
a24075453da4f613f78cba7e75dc7c0fb79a1f7ee4284bf3fc664c23cecf7f47

SHA512
25c34d08b95c6ace812a5a1603a687326bc52156967ebd79e0b3735f1ac25bfd101d2cb2deefc5031d92892ff0b2ee637b1f57d26c9f81bbe5392fd5a3052a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\sensfiles.zip

Filesize
131KB

MD5
5490529bf689932441c2117a28795d25

SHA1
866d6fc677db94c63a4fe8ed61fb408ac5beeca7

SHA256
66be1af8d6b7893c970eb84efdbb4ca8c69261831e7584b9531e9e126b0d11ea

SHA512
0c48d9b14543abb55c42113171a9e23133271b7a131e52ee2d8aa960e9fa156c047918ffc204753f7e868e449d10f76668b1080dcfd311fe9bf9570c26cfc19e

Download Submit