e0921b702ac24ef8aae5dd11d04df7cb9b8882fd624ff7bbfab71713e619c263

General

Target

2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Size

1.3MB
MD5

9648dad1aeaee11e5ac069938edb90c9
SHA1

4cb976ff653afcadc7b2240d46cd34804aa7329a
SHA256

e0921b702ac24ef8aae5dd11d04df7cb9b8882fd624ff7bbfab71713e619c263
SHA512

e05ffe51a47080d1b1f6e5755272019a173a91e1217744a08e652bb592cd8b82c36d7b16816cb2dc80e7c024ece1684dc45ea7d7383bfd2691f4b3b9188bffef
SSDEEP

6144:xZHcIX9SSgMW+IFZMbQrkodzb4XsIUYd:xdcIX0vFZJetd

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	audiohd.exe

Executes dropped EXE 1 IoCs

pid	Process
1916	audiohd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1812-0-0x0000000000540000-0x0000000000585000-memory.dmp	upx
behavioral2/files/0x000d000000021e27-11.dat	upx
behavioral2/memory/1916-19-0x0000000000DA0000-0x0000000000DE5000-memory.dmp	upx
behavioral2/memory/1812-21-0x0000000000540000-0x0000000000585000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiohd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1812	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
1916	audiohd.exe
4764	powershell.exe
4764	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
Token: SeDebugPrivilege	1916	audiohd.exe
Token: SeDebugPrivilege	4764	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 1916	1812	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	86
PID 1812 wrote to memory of 1916	1812	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	86
PID 1812 wrote to memory of 1916	1812	2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe	86
PID 1916 wrote to memory of 4764	1916	audiohd.exe	89
PID 1916 wrote to memory of 4764	1916	audiohd.exe	89
PID 1916 wrote to memory of 4764	1916	audiohd.exe	89
PID 4764 wrote to memory of 4872	4764	powershell.exe	93
PID 4764 wrote to memory of 4872	4764	powershell.exe	93
PID 4764 wrote to memory of 4872	4764	powershell.exe	93
PID 4872 wrote to memory of 4844	4872	csc.exe	94
PID 4872 wrote to memory of 4844	4872	csc.exe	94
PID 4872 wrote to memory of 4844	4872	csc.exe	94

C:\Users\Admin\AppData\Local\Temp\2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-30_9648dad1aeaee11e5ac069938edb90c9_black-basta_luca-stealer.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe
  "C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -Path "C:\Users\Admin\AppData\Local\Microsoft\local.cs"; [LocalServ]::Listen()
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z0014gir\z0014gir.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62F0.tmp" "c:\Users\Admin\AppData\Local\Temp\z0014gir\CSC3D0BEF04A3ED431ABEB59420241E751.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\audiohd.exe

Filesize
1.3MB

MD5
87aabccab5ff28821add5ed852442ff4

SHA1
49fa0c7940559699706de18a9da27e2729397c16

SHA256
714aa0f61a367786fc98e9cad53c686d7a79cd3692144fb6dbd004162f85d2f9

SHA512
1deb1c991badf2364a712f92a0575691069782b2cf8036672581843a843319f6fa64a8298825a5e222c65e5723cf4157b8746e43a51ef82822ff9778bb575698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\local.cs

Filesize
4KB

MD5
ff169c4274b91df68a1a0548b9186b29

SHA1
e2a406a1a49c5825d4f4279e82d1ca369433b244

SHA256
6da3e26b268e4a6c21e192c8b9a1b89aef6880bad673b79e6a889d29641ac2cc

SHA512
8785d91046722c0e8278fb95404ae284c3cf5e96060d06a7dc2209866b96618978e41844759da30fec7bdcef677fada61d3db498adbe989eaa87fbf84fc3366b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES62F0.tmp

Filesize
1KB

MD5
8eb2daca144ad118b3bc5fb06192249f

SHA1
7362c658a95bfc6314701771fe44e2c6ead36a97

SHA256
f0de7549a941e04a63335c6da24bea3086c055c8912ac95b71abbcbd7cb3b1fe

SHA512
3297aa42665d1bbdcfd3ab73bc195a7237247d7f73a02f7d782a00295a0ccdff2da64079384347ff4d8c4e29b950c4ba5c260af36d8a38a183983a021f4e0b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jc1fjpca.xwd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0014gir\z0014gir.dll

Filesize
6KB

MD5
446e91b1f140538e0581527e392c0a80

SHA1
eb1250168deae321f812a453ef236896272910d0

SHA256
4b7ee7e2efccbf27055e3151caa246ac471c6c39a8edb4eb65534b0d0a4a548b

SHA512
c76b5c9507f8db4b3a57e507c7e7c17d4ce1239ecd8d11a820c238fba89b4a5130a45940f52dc9750df9eef8f8a3e7b94e92daa1dc37f14d83c6548f07e898fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0014gir\CSC3D0BEF04A3ED431ABEB59420241E751.TMP

Filesize
652B

MD5
02dd4554663720728e19c468954dba03

SHA1
25f769af4588420ce68ba7d2b170f395620144db

SHA256
eb41911a45ce295731c0d516493dd6393f91ffa5621e21f26208ef87e6f34670

SHA512
bca4509da93d599b7c4feb29b38d87c3f11106b3e0eb0a3fe1a3637e9d9e0c2f30b3318145657272677eee6add0b2d5b9b7c4386d3af00757bf1a26103d345da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z0014gir\z0014gir.cmdline

Filesize
360B

MD5
a64182c1aa9d4b7b958d504b2fc20ac1

SHA1
e3476fc4f40ae0e8cc77267c9c91554cf74451d5

SHA256
da5fd2f485ddbe5f011a19212b20ee4d93f47050b0a83fff4147bebb4b70198d

SHA512
9d3f5996b75219578769cc3598357b2b987e9f7c39c4d2deb2546f026f44b0e6225367a28f108d6ecf99ad6c19aeb83ce484923f0d4859d4cb41e86fe5b9ecc0

Download Submit
memory/1812-7-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1812-5-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/1812-3-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1812-4-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/1812-0-0x0000000000540000-0x0000000000585000-memory.dmp

Filesize
276KB

Download
memory/1812-21-0x0000000000540000-0x0000000000585000-memory.dmp

Filesize
276KB

Download
memory/1812-2-0x00000000014D0000-0x00000000014E6000-memory.dmp

Filesize
88KB

Download
memory/1812-23-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1812-1-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/1916-22-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-25-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-67-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-66-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-65-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-64-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1916-63-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/1916-62-0x0000000006900000-0x0000000006992000-memory.dmp

Filesize
584KB

Download
memory/1916-19-0x0000000000DA0000-0x0000000000DE5000-memory.dmp

Filesize
276KB

Download
memory/1916-18-0x0000000001180000-0x0000000001196000-memory.dmp

Filesize
88KB

Download
memory/1916-24-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4764-29-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4764-60-0x0000000006390000-0x0000000006398000-memory.dmp

Filesize
32KB

Download
memory/4764-27-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/4764-47-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/4764-46-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/4764-45-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/4764-44-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4764-48-0x00000000062F0000-0x000000000630A000-memory.dmp

Filesize
104KB

Download
memory/4764-28-0x00000000051C0000-0x00000000057E8000-memory.dmp

Filesize
6.2MB

Download
memory/4764-34-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4764-32-0x0000000004E80000-0x0000000004EE6000-memory.dmp

Filesize
408KB

Download
memory/4764-33-0x0000000004EF0000-0x0000000004F56000-memory.dmp

Filesize
408KB

Download
memory/4764-31-0x0000000004CE0000-0x0000000004D02000-memory.dmp

Filesize
136KB

Download
memory/4764-30-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4764-68-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing