General
-
Target
2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer
-
Size
46.2MB
-
Sample
250331-behynazwaz
-
MD5
5ad23c8209fd17a66c6e37436f257a91
-
SHA1
47afe2053859cf1ebe0f45fa75d0ce77945f89da
-
SHA256
b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476
-
SHA512
cd4dad7b8a37c9e141b4e86cc3b861f5a6250f0c716326b9fe295bc36ce3bf2b42fd9630e47677eac333e02d0358b175007fd0bfd4636836ec4871bec626d3c4
-
SSDEEP
786432:GVmrjV7eIAtBXcnm0+Hm+vwZW9a3kTxI2Un/Elw4+rTEl4ElUyemgEmtV8r8G:GVmrjV7eIjnP+TYZQaB3Ex+HEpUxkrn
Malware Config
Targets
-
-
Target
2025-03-31_5ad23c8209fd17a66c6e37436f257a91_black-basta_luca-stealer
-
Size
46.2MB
-
MD5
5ad23c8209fd17a66c6e37436f257a91
-
SHA1
47afe2053859cf1ebe0f45fa75d0ce77945f89da
-
SHA256
b0dea552b8e60015ae41b062602655ebca0b310b677c3428126363b0e0a08476
-
SHA512
cd4dad7b8a37c9e141b4e86cc3b861f5a6250f0c716326b9fe295bc36ce3bf2b42fd9630e47677eac333e02d0358b175007fd0bfd4636836ec4871bec626d3c4
-
SSDEEP
786432:GVmrjV7eIAtBXcnm0+Hm+vwZW9a3kTxI2Un/Elw4+rTEl4ElUyemgEmtV8r8G:GVmrjV7eIjnP+TYZQaB3Ex+HEpUxkrn
Score10/10-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Indicator Removal
1File Deletion
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1