lucastealer | c4be1cac2931cbdeceec83c648b6a57d7d9f8b2a1a384b14b56e3726116b12e2[.]zip

Sharing

Copy URL

Twitter E-mail

General

Target

c4be1cac2931cbdeceec83c648b6a57d7d9f8b2a1a384b14b56e3726116b12e2.zip
Size

2.7MB
MD5

229b509ed16b68a4c244b714f1c1f207
SHA1

774174ccc7fd31648324c6c924fdb76e842eb152
SHA256

57c0f2817a420818ee7cb6248d4dc73cbf3da005cecc702402c6d49e3d5274b8
SHA512

4d14df3617b148e20bf6df1a01bf535cf1f0acbce6e782e6e71e1374819ac2b15daf2aebf6339c39a78f4a2114a86555eddfa0cd737a43156534727a8d084b23
SSDEEP

49152:qMf6NDU0nf96Vyz+igz4aoGi2K3PtNqCd5vIYALeclkRNR6LZ:kNlb+iPGTUPzeYAOyZ

Score

10^/10

lucastealer

Malware Config

Extracted

Family

lucastealer

https://api.telegram.org/bot5659694192:AAFm4m__O5QDGizUpDxK2Q7lvAvGuN2DoOc

Signatures

Lucastealer family
lucastealer

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/c4be1cac2931cbdeceec83c648b6a57d7d9f8b2a1a384b14b56e3726116b12e2

Files

c4be1cac2931cbdeceec83c648b6a57d7d9f8b2a1a384b14b56e3726116b12e2.zip
.zip

Password: infected
c4be1cac2931cbdeceec83c648b6a57d7d9f8b2a1a384b14b56e3726116b12e2
.exe windows:6 windows x64 arch:x64

Password: infected

75af93aee870cf6b2274cb3d6a5ac263

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
InitializeSListHead
GetCurrentThreadId
TryEnterCriticalSection
InitializeCriticalSection
AreFileApisANSI
HeapCreate
WriteFile
GetDiskFreeSpaceW
IsDebuggerPresent
HeapFree
CloseHandle
FindClose
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
HeapReAlloc
GetLastError
GetSystemInfo
WakeAllConditionVariable
RemoveDirectoryW
GetModuleFileNameW
SetFileInformationByHandle
GetUserPreferredUILanguages
GetTickCount64
GetLogicalDrives
GetComputerNameExW
LoadLibraryExW
GetProcAddress
FreeLibrary
GetFileInformationByHandleEx
AddVectoredExceptionHandler
SetThreadStackGuarantee
HeapAlloc
GetProcessHeap
GetModuleHandleW
CreateFileW
SwitchToThread
TryAcquireSRWLockExclusive
GetQueuedCompletionStatusEx
CreateIoCompletionPort
SetFileCompletionNotificationModes
WakeConditionVariable
AcquireSRWLockShared
ReleaseSRWLockShared
GetFileInformationByHandle
GetCurrentProcess
DuplicateHandle
GetModuleHandleA
GetStdHandle
GetConsoleMode
WaitForSingleObject
WriteConsoleW
WaitForSingleObjectEx
LoadLibraryA
CreateMutexA
ReleaseMutex
SetLastError
GetEnvironmentVariableW
RtlLookupFunctionEntry
FormatMessageW
GetTempPathW
DeviceIoControl
GetFullPathNameW
SetFilePointerEx
GetFinalPathNameByHandleW
FindNextFileW
CreateDirectoryW
SetHandleInformation
CreateThread
GetCurrentThread
QueryPerformanceFrequency
QueryPerformanceCounter
GetSystemTimeAsFileTime
GetCurrentDirectoryW
RtlCaptureContext
FindFirstFileW
CopyFileExW
GetProcessTimes
GetSystemTimes
GetProcessIoCounters
ReadProcessMemory
LocalFree
OpenProcess
VirtualQueryEx
GetDriveTypeW
GetVolumeInformationW
GetDiskFreeSpaceExW
GlobalMemoryStatusEx
PostQueuedCompletionStatus
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
SleepEx
GetSystemDirectoryA
GetTickCount
Sleep
MultiByteToWideChar
WideCharToMultiByte
MoveFileExA
GetEnvironmentVariableA
VerSetConditionMask
VerifyVersionInfoW
CreateFileA
GetFileSizeEx
ReadFile
RtlVirtualUnwind
FlushFileBuffers
MapViewOfFile
CreateFileMappingW
FormatMessageA
GetSystemTime
SystemTimeToFileTime
GetCurrentProcessId
GetFileSize
LockFileEx
UnlockFile
HeapDestroy
HeapCompact
LoadLibraryW
DeleteFileW
DeleteFileA
FlushViewOfFile
OutputDebugStringW
GetFileAttributesExW
GetFileAttributesA
GetDiskFreeSpaceA
GetTempPathA
HeapSize
HeapValidate
UnmapViewOfFile
GetFileAttributesW
CreateMutexW
UnlockFileEx
SetEndOfFile
GetFullPathNameA
SetFilePointer
LockFile
OutputDebugStringA
GetSystemTimePreciseAsFileTime

kernelbase

SleepConditionVariableSRW
SetThreadDescription
WaitOnAddress
WakeByAddressSingle

psapi

GetModuleFileNameExW
GetPerformanceInfo

secur32

InitializeSecurityContextW
AcceptSecurityContext
SealMessage
ApplyControlToken
QueryContextAttributesW
DeleteSecurityContext
FreeContextBuffer
LsaFreeReturnBuffer
LsaGetLogonSessionData
FreeCredentialsHandle
UnsealMessage
AcquireCredentialsHandleA
LsaEnumerateLogonSessions

vcruntime140

memcmp
memcpy
memset
memcpy
__CxxFrameHandler3
strchr
strrchr
strstr
memchr
__C_specific_handler
__current_exception

advapi32

CryptDestroyHash
CryptHashData
CryptCreateHash
CryptGetHashParam
CryptReleaseContext
CryptAcquireContextA
RegCloseKey
RegOpenKeyExW
RegQueryValueExW
GetUserNameW
SystemFunction036
LookupAccountSidW
GetTokenInformation
OpenProcessToken

ucrtbase

strtoul
atoi
strtoll
strtol
wcstombs
_access
_unlink
_stat64
_fstat64
realloc
calloc
free
malloc
_set_new_mode
_msize
_configthreadlocale
_dclass
_fdopen
log
__setusermatherr
abort
__p___argv
_wassert
_seh_filter_exe
_set_app_type
__p___argc
_initialize_onexit_table
_endthreadex
_configure_narrow_argv
_cexit
_initialize_narrow_environment
_get_initial_narrow_environment
_initterm
_initterm_e
exit
terminate
_crt_atexit
_c_exit
_register_thread_local_exe_atexit_callback
_Exit
_register_onexit_function
_errno
__sys_errlist
__sys_nerr
_beginthreadex
fputs
fclose
__stdio_common_vsscanf
fopen
_lseeki64
fseek
_close
fwrite
fread
__acrt_iob_func
__p__commode
_write
feof
_set_fmode
ftell
fgets
fputc
__stdio_common_vsprintf
fflush
_read
_open
strncpy
wcslen
strlen
strcpy
strpbrk
strcmp
_mbsdup
strspn
strcspn
strncmp
_localtime64_s
_gmtime64
_time64
strftime
qsort
malloc
free
realloc
_mbsdup
calloc

bcrypt

BCryptGenRandom

crypt32

CertEnumCertificatesInStore
CertAddCertificateContextToStore
CertDuplicateCertificateChain
CertVerifyCertificateChainPolicy
CertFreeCertificateChain
CertGetCertificateChain
CertDuplicateStore
CertDuplicateCertificateContext
CertCloseStore
CertFreeCertificateContext
CertGetEnhancedKeyUsage
CertFindCertificateInStore
CertOpenStore
CryptStringToBinaryA
CertFreeCertificateChainEngine
CertCreateCertificateChainEngine
CryptQueryObject
CertGetNameStringA
CertFindExtension
CryptDecodeObjectEx
PFXImportCertStore
CryptUnprotectData

gdi32

GetObjectW
DeleteObject
GetDIBits
StretchBlt
SetStretchBltMode
SelectObject
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCW
GetDeviceCaps
DeleteDC

iphlpapi

FreeMibTable
GetIfEntry2
GetIfTable2

netapi32

NetUserEnum
NetApiBufferFree
NetUserGetLocalGroups

ntdll

NtCreateFile
NtQuerySystemInformation
RtlGetVersion
NtCancelIoFileEx
NtDeviceIoControlFile
RtlNtStatusToDosError
NtQueryInformationProcess
NtCreateFile
NtReadFile
NtWriteFile
RtlNtStatusToDosError
NtCreateKeyedEvent
NtReleaseKeyedEvent
NtWaitForKeyedEvent

combase

CoCreateInstance
CoInitializeEx
CoSetProxyBlanket
CoUninitialize
CoInitializeSecurity

oleaut32

SysAllocString
SysAllocStringLen
SysFreeString
SafeArrayUnaccessData
SafeArrayGetLBound
SafeArrayGetUBound
SafeArrayAccessData
VariantClear

pdh

PdhCloseQuery
PdhCollectQueryData
PdhAddEnglishCounterW
PdhGetFormattedCounterValue
PdhOpenQueryA
PdhRemoveCounter

powrprof

CallNtPowerInformation

shell32

CommandLineToArgvW

user32

GetMonitorInfoW
EnumDisplaySettingsExW
EnumDisplayMonitors

ws2_32

getsockopt
WSAIoctl
WSARecv
WSASend
getsockname
recv
closesocket
recvfrom
WSAGetLastError
getpeername
WSAStartup
ioctlsocket
connect
setsockopt
select
WSACloseEvent
WSACreateEvent
WSAEnumNetworkEvents
WSAEventSelect
freeaddrinfo
WSAResetEvent
WSAWaitForMultipleEvents
WSACleanup
htons
htons
socket
WSASetLastError
__WSAFDIsSet
accept
htonl
listen
WSASocketW
getaddrinfo
shutdown
bind

Sections

.text
Size: 3.9MB - Virtual size: 3.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1.3MB - Virtual size: 1.3MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 28KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 94KB - Virtual size: 93KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

75af93aee870cf6b2274cb3d6a5ac263

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

kernelbase

psapi

secur32

vcruntime140

advapi32

ucrtbase

bcrypt

crypt32

gdi32

iphlpapi

netapi32

ntdll

combase

oleaut32

pdh

powrprof

shell32

user32

ws2_32

Sections

.text Size: 3.9MB - Virtual size: 3.9MB

.rdata Size: 1.3MB - Virtual size: 1.3MB

.data Size: 28KB - Virtual size: 4KB

.pdata Size: 94KB - Virtual size: 93KB

.reloc Size: 48KB - Virtual size: 48KB

.text
Size: 3.9MB - Virtual size: 3.9MB

.rdata
Size: 1.3MB - Virtual size: 1.3MB

.data
Size: 28KB - Virtual size: 4KB

.pdata
Size: 94KB - Virtual size: 93KB

.reloc
Size: 48KB - Virtual size: 48KB