lucastealer | f4f5790a9be596d88822e54ed04b257c529955bd71b49e2e1381b6f0bd8acf57

Analysis

max time kernel
70s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rust-stealer-xss.exe
Size

5.4MB
MD5

757220d2a9fbe32c7478f27ecbdae5ae
SHA1

e9a6822c498731831da6938c25b15a131bf67dfb
SHA256

f4f5790a9be596d88822e54ed04b257c529955bd71b49e2e1381b6f0bd8acf57
SHA512

fef6d21056aaa768a7ad3558d04d3df9bdcd8dc6911fb397ddc87c4c9a5e756584e8f8d81a19b911440ebfec5b34ca4d57715f559007b4ba9d1b62006a654b94
SSDEEP

49152:zTLzKrjyznOLlalYWvQhzQk5GwRgEgfTmcD8LneUqm/G7T251qpbWGAxVRwyjSMH:zjykYWQQfwRYC37Vq2NJsSPPDHn+y

Score

10^/10

lucastealer credential_access spyware stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Lucastealer family
lucastealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rust-stealer-xss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
35	discord.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
232	rust-stealer-xss.exe
232	rust-stealer-xss.exe
232	rust-stealer-xss.exe
232	rust-stealer-xss.exe
232	rust-stealer-xss.exe
232	rust-stealer-xss.exe

C:\Users\Admin\AppData\Local\Temp\rust-stealer-xss.exe
"C:\Users\Admin\AppData\Local\Temp\rust-stealer-xss.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\logsxc\sensfiles.zip

Filesize
823KB

MD5
f216ba0dccee12d4cd22a5f6229f78b1

SHA1
c5b5dbf9e12a0347c09b64ddd687ea54d23c1723

SHA256
7054b95cb6fdd139d3189391072bea19d0f508e463f30395793bbfe527f898bd

SHA512
d8477855c698126804db0df272607b178563dbd8678a7e3b2860b7c088441c8d2aa1c847487f8a7ee3d70a3d693c915d937339936c639507b57e19966429f1f1

Download Submit