d45b549cdb64bccb299b19e478f865d4531281320a50994687666513ecd5a1b5

General

Target

2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Size

1.2MB
MD5

897a2c784f7c77c49036631e9dfd388f
SHA1

c1af50d1f9d12f1df2a77bf7ab978e1cf24d240f
SHA256

d45b549cdb64bccb299b19e478f865d4531281320a50994687666513ecd5a1b5
SHA512

ffa9324ee809c285e32f42e4801150b6667d0810301593c2364e38be3c1784803f7b0e2d076df467c001a04bced9efefa2e149f0d34d2add0c2e5c5092df9b26
SSDEEP

3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2280	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
2280	audiohd.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	2280	audiohd.exe
Token: SeDebugPrivilege	2672	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2280	2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	31
PID 2100 wrote to memory of 2280	2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	31
PID 2100 wrote to memory of 2280	2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	31
PID 2100 wrote to memory of 2280	2100	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	31
PID 2280 wrote to memory of 2672	2280	audiohd.exe	32
PID 2280 wrote to memory of 2672	2280	audiohd.exe	32
PID 2280 wrote to memory of 2672	2280	audiohd.exe	32
PID 2280 wrote to memory of 2672	2280	audiohd.exe	32
PID 2672 wrote to memory of 2656	2672	powershell.exe	34
PID 2672 wrote to memory of 2656	2672	powershell.exe	34
PID 2672 wrote to memory of 2656	2672	powershell.exe	34
PID 2672 wrote to memory of 2656	2672	powershell.exe	34
PID 2656 wrote to memory of 2664	2656	csc.exe	35
PID 2656 wrote to memory of 2664	2656	csc.exe	35
PID 2656 wrote to memory of 2664	2656	csc.exe	35
PID 2656 wrote to memory of 2664	2656	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qjg64rpp.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE513.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE512.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
1.2MB

MD5
d87b46d373ea921b8cc7ac8b484aa595

SHA1
b193a1dfe061fb65ad65ecc9efb7ded1f8cf6ce1

SHA256
f9c5c72f23751ea70f1a018db42577e5fc386196dc4ff31a4def17d2dd0e41ef

SHA512
0aed4d4f6771284f72e778c7a4b99b9a7dec0f18000d7ee28c09705904623e3bd7ed5fe6ab79219095fcff0b8b3391cf52fa8a8a40a9edae18137a9bed8f5ea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE513.tmp

Filesize
1KB

MD5
514057af64d7605b80331d1480f03a5c

SHA1
12a8959310e9f3445fda9bd3fd554857b6bc8070

SHA256
bc19e7de6f93be31ff8491cd9bcba927b3f6ec96f9fa5af01db0d9ddfac86bce

SHA512
85fb4908077833613f5e320ff134365f345c899877b78c1201a88d5b34e4fd0be232914858ed3c4b57cef8510b35f07ff216edc5c2a20c7d17f27c81e6ecb16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjg64rpp.dll

Filesize
6KB

MD5
0f1ae435a5ad8080f690175db08fe81a

SHA1
1203976f94e62c2172050c11308c18679aaaf4d6

SHA256
c228522927bff7e35d488a8ce40f704392a354c73fac91f60632f3272b76f9fe

SHA512
5e6a8e88d0c89ce71712c55e09dcf76f0450ed3d470610eb8c74c7238dd7ad1abd3548be01d0c11a481295a5f5b230accc58374a36fbc5fa48a9e69efee3c437

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjg64rpp.pdb

Filesize
13KB

MD5
1256e406e9fec7f9d2d1d9609dfdf25c

SHA1
7a51c78283dc96cb25add192c22405810b3a870b

SHA256
46db53f4a7db7cb88e2044c88fd68434d409f8ff5e4006cd0ee8fd943555d39b

SHA512
61b6e45609ff3487d40acc29766c4d9c1d8a2e1702d05e7fb21c580f95e91f764a340d24c82a7669ed3451bc103f7bfc7157107f437d76ef1327e34479b5f7c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE512.tmp

Filesize
652B

MD5
f4998f558289fead82784bf825002362

SHA1
d29ab49e4e22cfcdbff21e3e76976855f44e49c5

SHA256
fe83def5f32f199a05428193e8df2c3d4eaeba1c99f6cc9547f3db1474dc508b

SHA512
147c75d851a85f94b49822adeadb817bfca162f91426a2008a4b352ff3ccef859864af088647e2b648669e218841850a10d64349cf91affafc12eb68e97b4c3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qjg64rpp.cmdline

Filesize
309B

MD5
a49c9830b32987b7d694785defd6a574

SHA1
0591cc72aaf8582d4881d47f1052c0e19c732402

SHA256
abb7cc6fe8ffbbed40351a8713070c5b2e23da88e059578be46c61640d56b63d

SHA512
40cc19b50d8951b19c8707f462b249307fec3238a1c252eb5d4325aa9a2924bd2fe9207bbff467181139358a83f785f926988d863350db3d594d15eb6ea93084

Download Submit
memory/2100-3-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/2100-13-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/2100-2-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-14-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-15-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-33-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-34-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-35-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download
memory/2280-36-0x0000000074E90000-0x000000007557E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing