Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/03/2025, 21:01
Static task
static1
Behavioral task
behavioral1
Sample
2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
-
Size
1.2MB
-
MD5
897a2c784f7c77c49036631e9dfd388f
-
SHA1
c1af50d1f9d12f1df2a77bf7ab978e1cf24d240f
-
SHA256
d45b549cdb64bccb299b19e478f865d4531281320a50994687666513ecd5a1b5
-
SHA512
ffa9324ee809c285e32f42e4801150b6667d0810301593c2364e38be3c1784803f7b0e2d076df467c001a04bced9efefa2e149f0d34d2add0c2e5c5092df9b26
-
SSDEEP
3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2280 audiohd.exe -
Loads dropped DLL 2 IoCs
pid Process 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language audiohd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 2280 audiohd.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe Token: SeDebugPrivilege 2280 audiohd.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2280 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 31 PID 2100 wrote to memory of 2280 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 31 PID 2100 wrote to memory of 2280 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 31 PID 2100 wrote to memory of 2280 2100 2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe 31 PID 2280 wrote to memory of 2672 2280 audiohd.exe 32 PID 2280 wrote to memory of 2672 2280 audiohd.exe 32 PID 2280 wrote to memory of 2672 2280 audiohd.exe 32 PID 2280 wrote to memory of 2672 2280 audiohd.exe 32 PID 2672 wrote to memory of 2656 2672 powershell.exe 34 PID 2672 wrote to memory of 2656 2672 powershell.exe 34 PID 2672 wrote to memory of 2656 2672 powershell.exe 34 PID 2672 wrote to memory of 2656 2672 powershell.exe 34 PID 2656 wrote to memory of 2664 2656 csc.exe 35 PID 2656 wrote to memory of 2664 2656 csc.exe 35 PID 2656 wrote to memory of 2664 2656 csc.exe 35 PID 2656 wrote to memory of 2664 2656 csc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qjg64rpp.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE513.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE512.tmp"5⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5d87b46d373ea921b8cc7ac8b484aa595
SHA1b193a1dfe061fb65ad65ecc9efb7ded1f8cf6ce1
SHA256f9c5c72f23751ea70f1a018db42577e5fc386196dc4ff31a4def17d2dd0e41ef
SHA5120aed4d4f6771284f72e778c7a4b99b9a7dec0f18000d7ee28c09705904623e3bd7ed5fe6ab79219095fcff0b8b3391cf52fa8a8a40a9edae18137a9bed8f5ea6
-
Filesize
4KB
MD5ff169c4274b91df68a1a0548b9186b29
SHA1e2a406a1a49c5825d4f4279e82d1ca369433b244
SHA2566da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc
SHA5128785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b
-
Filesize
1KB
MD5514057af64d7605b80331d1480f03a5c
SHA112a8959310e9f3445fda9bd3fd554857b6bc8070
SHA256bc19e7de6f93be31ff8491cd9bcba927b3f6ec96f9fa5af01db0d9ddfac86bce
SHA51285fb4908077833613f5e320ff134365f345c899877b78c1201a88d5b34e4fd0be232914858ed3c4b57cef8510b35f07ff216edc5c2a20c7d17f27c81e6ecb16c
-
Filesize
6KB
MD50f1ae435a5ad8080f690175db08fe81a
SHA11203976f94e62c2172050c11308c18679aaaf4d6
SHA256c228522927bff7e35d488a8ce40f704392a354c73fac91f60632f3272b76f9fe
SHA5125e6a8e88d0c89ce71712c55e09dcf76f0450ed3d470610eb8c74c7238dd7ad1abd3548be01d0c11a481295a5f5b230accc58374a36fbc5fa48a9e69efee3c437
-
Filesize
13KB
MD51256e406e9fec7f9d2d1d9609dfdf25c
SHA17a51c78283dc96cb25add192c22405810b3a870b
SHA25646db53f4a7db7cb88e2044c88fd68434d409f8ff5e4006cd0ee8fd943555d39b
SHA51261b6e45609ff3487d40acc29766c4d9c1d8a2e1702d05e7fb21c580f95e91f764a340d24c82a7669ed3451bc103f7bfc7157107f437d76ef1327e34479b5f7c9
-
Filesize
652B
MD5f4998f558289fead82784bf825002362
SHA1d29ab49e4e22cfcdbff21e3e76976855f44e49c5
SHA256fe83def5f32f199a05428193e8df2c3d4eaeba1c99f6cc9547f3db1474dc508b
SHA512147c75d851a85f94b49822adeadb817bfca162f91426a2008a4b352ff3ccef859864af088647e2b648669e218841850a10d64349cf91affafc12eb68e97b4c3f
-
Filesize
309B
MD5a49c9830b32987b7d694785defd6a574
SHA10591cc72aaf8582d4881d47f1052c0e19c732402
SHA256abb7cc6fe8ffbbed40351a8713070c5b2e23da88e059578be46c61640d56b63d
SHA51240cc19b50d8951b19c8707f462b249307fec3238a1c252eb5d4325aa9a2924bd2fe9207bbff467181139358a83f785f926988d863350db3d594d15eb6ea93084