d45b549cdb64bccb299b19e478f865d4531281320a50994687666513ecd5a1b5

General

Target

2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Size

1.2MB
MD5

897a2c784f7c77c49036631e9dfd388f
SHA1

c1af50d1f9d12f1df2a77bf7ab978e1cf24d240f
SHA256

d45b549cdb64bccb299b19e478f865d4531281320a50994687666513ecd5a1b5
SHA512

ffa9324ee809c285e32f42e4801150b6667d0810301593c2364e38be3c1784803f7b0e2d076df467c001a04bced9efefa2e149f0d34d2add0c2e5c5092df9b26
SSDEEP

3072:tZTz1WIXC6GESSgWNRXumi7+IF6foPCaTRMXbaev0FQcmWk6kwsNIf6cHzbQ2v0V:tZHcIX9SSgMi+IFZMbQrkodzb4VF2Yd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
3908	audiohd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1860	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
3908	audiohd.exe
3160	powershell.exe
3160	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	3908	audiohd.exe
Token: SeDebugPrivilege	3160	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 3908	1860	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	86
PID 1860 wrote to memory of 3908	1860	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	86
PID 1860 wrote to memory of 3908	1860	2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe	86
PID 3908 wrote to memory of 3160	3908	audiohd.exe	90
PID 3908 wrote to memory of 3160	3908	audiohd.exe	90
PID 3908 wrote to memory of 3160	3908	audiohd.exe	90
PID 3160 wrote to memory of 3660	3160	powershell.exe	92
PID 3160 wrote to memory of 3660	3160	powershell.exe	92
PID 3160 wrote to memory of 3660	3160	powershell.exe	92
PID 3660 wrote to memory of 4936	3660	csc.exe	93
PID 3660 wrote to memory of 4936	3660	csc.exe	93
PID 3660 wrote to memory of 4936	3660	csc.exe	93

C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_897a2c784f7c77c49036631e9dfd388f_black-basta_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ui52odk1\ui52odk1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FE9.tmp" "c:\Users\Admin\AppData\Local\Temp\ui52odk1\CSCAEC5FD1A158449E1B6F973F48CCCE5E2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
1.2MB

MD5
6c806750487d98bbcc43b3228958a24a

SHA1
a6206d3e38c718234683e91d8d542a2ebb938f96

SHA256
a26d63c72cfbceba307fbcdf23af6e290c4f3d547f4d295761aa8f18443d4d0a

SHA512
158e5da1d1ebb497c15ba6b97e772c18121989e580f50dcca5de6f8ee1d884d36b34c14f518c91f5ab45a1745f8e587f644b413e0b42326848694ba3fefdc4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9FE9.tmp

Filesize
1KB

MD5
9565176c57bc33865eb8a11882dd7ac1

SHA1
4a2f95c2cc1f97b96c95509f3e9c6b81e40f3eb5

SHA256
b08dc7cf04342f863eb02ab642f1609bf0f723ee1789b9ae43d41e31c76f0f66

SHA512
b72bfb396669868a6910bc0bcfc85e6df00f28a26b5a34b076c3630b83d2eb71456eac8863208490f1a8164c274f2c9a2b9489172b7c1e684b1cfa3b00d401e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twzk5ja1.ibq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ui52odk1\ui52odk1.dll

Filesize
6KB

MD5
5452ac91e7fc4e2e812932cf5961873f

SHA1
fd1493fa0f3162f32bb897c542822f7672320c5c

SHA256
6d64706a07a55dd7a2829a4b8713c0ce270bde92ffb2aea16735a8d390b488ea

SHA512
afca439ea03e6c71be650e7db450d57080276b9b98a36b37e36afe346556a9d481eae40e831a0b2b2584e4b7129f5a7766b1645ded1f0f21ac7eb1b8d0f0dc3c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui52odk1\CSCAEC5FD1A158449E1B6F973F48CCCE5E2.TMP

Filesize
652B

MD5
f27f4d03d63324d12fb1400463c434f0

SHA1
681b3626ab208ec7c191b1ec09359e91fe5d5a1e

SHA256
f264c5ca6e191c9a71fe09b7a439576425a81afebb486e4d68804cc955be9ee5

SHA512
d708927270f7adf14c23a394f2f9fe57a6fbc821ac28ac07acb90c81b4537ecfbc7cca799cb469ea57a17065b96091117a2646c3b6087b05e0ceb1df9bdd2391

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ui52odk1\ui52odk1.cmdline

Filesize
360B

MD5
cc4fb76a39292751c668487df17cb1b3

SHA1
231011d7a683bb1707336dd5f791165bb95b3634

SHA256
8c5c73d18b2c499a09dee6192f2eff6aba50b41ad9b53d22c1785f642de4cf24

SHA512
edba24719e49f4c5981166c1080080e33b1e08f4425920a0d1fb84d01fc64e2e9782fc7bf4cc9023b8c8067d237efc7102d145f27f23fedbe50c8a0edb23981f

Download Submit
memory/1860-7-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1860-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1860-5-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/1860-22-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1860-4-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/1860-3-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1860-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

Filesize
88KB

Download
memory/1860-2-0x0000000000DC0000-0x0000000000DD6000-memory.dmp

Filesize
88KB

Download
memory/3160-32-0x00000000049D0000-0x00000000049F2000-memory.dmp

Filesize
136KB

Download
memory/3160-68-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3160-30-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3160-31-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3160-28-0x00000000044F0000-0x0000000004526000-memory.dmp

Filesize
216KB

Download
memory/3160-34-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/3160-33-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/3160-60-0x0000000006050000-0x0000000006058000-memory.dmp

Filesize
32KB

Download
memory/3160-44-0x0000000005570000-0x00000000058C4000-memory.dmp

Filesize
3.3MB

Download
memory/3160-45-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/3160-46-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/3160-47-0x00000000070E0000-0x000000000775A000-memory.dmp

Filesize
6.5MB

Download
memory/3160-48-0x0000000005FD0000-0x0000000005FEA000-memory.dmp

Filesize
104KB

Download
memory/3160-29-0x0000000004B60000-0x0000000005188000-memory.dmp

Filesize
6.2MB

Download
memory/3908-25-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-20-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

Filesize
88KB

Download
memory/3908-21-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

Filesize
88KB

Download
memory/3908-24-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-23-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-62-0x0000000006830000-0x00000000068C2000-memory.dmp

Filesize
584KB

Download
memory/3908-63-0x0000000006800000-0x000000000680A000-memory.dmp

Filesize
40KB

Download
memory/3908-64-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-65-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-66-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-67-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/3908-26-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing