e0921b702ac24ef8aae5dd11d04df7cb9b8882fd624ff7bbfab71713e619c263

General

Target

2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Size

1.3MB
MD5

9648dad1aeaee11e5ac069938edb90c9
SHA1

4cb976ff653afcadc7b2240d46cd34804aa7329a
SHA256

e0921b702ac24ef8aae5dd11d04df7cb9b8882fd624ff7bbfab71713e619c263
SHA512

e05ffe51a47080d1b1f6e5755272019a173a91e1217744a08e652bb592cd8b82c36d7b16816cb2dc80e7c024ece1684dc45ea7d7383bfd2691f4b3b9188bffef
SSDEEP

6144:xZHcIX9SSgMW+IFZMbQrkodzb4XsIUYd:xdcIX0vFZJetd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	audiohd.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-0-0x00000000002F0000-0x0000000000335000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-15.dat	upx
behavioral1/memory/2340-17-0x00000000002F0000-0x0000000000335000-memory.dmp	upx
behavioral1/memory/2320-16-0x00000000011C0000-0x0000000001205000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
2320	audiohd.exe
2768	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	2320	audiohd.exe
Token: SeDebugPrivilege	2768	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2320	2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	30
PID 2340 wrote to memory of 2320	2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	30
PID 2340 wrote to memory of 2320	2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	30
PID 2340 wrote to memory of 2320	2340	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	30
PID 2320 wrote to memory of 2768	2320	audiohd.exe	32
PID 2320 wrote to memory of 2768	2320	audiohd.exe	32
PID 2320 wrote to memory of 2768	2320	audiohd.exe	32
PID 2320 wrote to memory of 2768	2320	audiohd.exe	32
PID 2768 wrote to memory of 2948	2768	powershell.exe	34
PID 2768 wrote to memory of 2948	2768	powershell.exe	34
PID 2768 wrote to memory of 2948	2768	powershell.exe	34
PID 2768 wrote to memory of 2948	2768	powershell.exe	34
PID 2948 wrote to memory of 2584	2948	csc.exe	35
PID 2948 wrote to memory of 2584	2948	csc.exe	35
PID 2948 wrote to memory of 2584	2948	csc.exe	35
PID 2948 wrote to memory of 2584	2948	csc.exe	35

C:\Users\Admin\AppData\Local\Temp\2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g_tpwjsw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCF1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCCF0.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
1.3MB

MD5
bca026446ca666a33be025ee4148cc06

SHA1
2f4550b4fced0100d06b94c5a31a4a2ff90d5f7f

SHA256
84b3ccd34c741cc513319d680be1ab6d99a986dc8aeea4a6fa8ce09fb1d84712

SHA512
5dcc0014011594c8c4e1efb97cc2be472ecfc95ff879161ae8811bcc655bc55af50c1891bfc4e2780aa69fdc69b9d96e05cfdaecf6c24f67e1b71dfbf38890bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCCF1.tmp

Filesize
1KB

MD5
3b792e46adb9f4a2dc583879860419be

SHA1
53ffbfbb9346216480524be8ef5dd31fa7c2e8d4

SHA256
269056ae66f50b04bea9a3d31ee7c865159e6a0ff0830026e13101e403ebb075

SHA512
00ec9c660e6d9833ca3e12da380b7b59dbfaffb876ea0584442ea9c24cde484e52a6de4f2e256e71704b7f698ef39c16dab52f6172097450094ba8a7b00db7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\g_tpwjsw.dll

Filesize
6KB

MD5
b3ecdea63fd8c69ee73e654f3fde69c0

SHA1
80df1e2a406c61a54b71f8fbc818f26f62d4c4a0

SHA256
429f40ebd02084a4d453d9e72d8f8389ef4bd6c88c9c89fa70d00e3879f1f610

SHA512
e4f917dc36c12a3370753fff08a850f73cd2eba67ef5da6f4c929ded46ec44b1b636920f9e56f4428b3e9351d77d86c6a586f0c4e8f22acb61f9c2e69579a2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\g_tpwjsw.pdb

Filesize
13KB

MD5
638acb39444ab662d6244618ad716df9

SHA1
51fa0e2597ef8db07135006847803a7c649a5aec

SHA256
8087f4e9d301a288c04e73fca19bf88344cbfed7fa9e1ca2d0f1074c8eb21f12

SHA512
0dd1f5b2263ae374d99baf1cab499a95c5a332088ca7844bda354f8ab14981e534595aa92a4a84de46294f8257ed797a2acc48d5d00b5c1ee5e47d0109a13e42

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCCCF0.tmp

Filesize
652B

MD5
2ce4138ffaf37908c410802ce58355c9

SHA1
14b633468fc64f7dc5526116b51fb2b42c36b1d9

SHA256
dde91e7d89e47931706f6eca83435566b85392484d48ab8f9d72558e67989bd5

SHA512
7738a0c03d51dba90210041f4c8f79d85813517a14dd7749c397df3514a7bdd2268603cd541ff7cb6fd0125b6ed01af052771cfd25c754b393b47e106f737dcf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\g_tpwjsw.cmdline

Filesize
309B

MD5
0d1e63695d6dcce797ef059a7c5b71b3

SHA1
a7722e5cb2702a85c1dcb5470debfa17d983c89c

SHA256
3e1da191ea7f3d4491b8f87bfb898f18eb2dc40412f8922f9ab95947989c79ee

SHA512
091b2857305177714dc63118998d7b332bf3fa6f18bbf502451113f65bb07c4515363165dc549e7dee2b0881c37db7b242e71b5363ec726e04f948df924ed435

Download Submit
memory/2320-41-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-40-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-20-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-18-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-16-0x00000000011C0000-0x0000000001205000-memory.dmp

Filesize
276KB

Download
memory/2320-42-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-43-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-22-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-21-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-44-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2340-17-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/2340-13-0x0000000002390000-0x00000000023D5000-memory.dmp

Filesize
276KB

Download
memory/2340-14-0x0000000002390000-0x00000000023D5000-memory.dmp

Filesize
276KB

Download
memory/2340-19-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2340-0-0x00000000002F0000-0x0000000000335000-memory.dmp

Filesize
276KB

Download
memory/2340-4-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2340-3-0x0000000074700000-0x0000000074DEE000-memory.dmp

Filesize
6.9MB

Download
memory/2340-2-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/2340-1-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing