lucastealer | 0532caaaee1ea76a55ff35f707dfdf5491a8a52f3b6fe53fedba3d817f80a292

Analysis

max time kernel
100s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
03/04/2025, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rust-stealer-xss.exe
Size

5.8MB
MD5

cef223500250aef7b78ca318fe168e3e
SHA1

cb4e232f24800466cf6c7bf940046ef107075361
SHA256

0532caaaee1ea76a55ff35f707dfdf5491a8a52f3b6fe53fedba3d817f80a292
SHA512

49768813cc2c090753f0d9eed9a9bf31c75290c9dc1c3019071a1bbfc62a38d1fe04f3fec6c75e33dee5e67ae2fbc0390535a23483c0b5b4d185e8bca58f25a6
SSDEEP

98304:0li0YSy5dP26vytLqQF9UPAxaJhMFAn+nF:D0Cn26c9rxaJAm

Score

10^/10

lucastealer credential_access spyware stealer

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer
Lucastealer family
lucastealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	rust-stealer-xss.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
708	rust-stealer-xss.exe
708	rust-stealer-xss.exe
708	rust-stealer-xss.exe
708	rust-stealer-xss.exe
708	rust-stealer-xss.exe
708	rust-stealer-xss.exe

C:\Users\Admin\AppData\Local\Temp\rust-stealer-xss.exe
"C:\Users\Admin\AppData\Local\Temp\rust-stealer-xss.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\logsxc\cookies_Microsoft.txt

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
C:\Users\Admin\AppData\Local\logsxc\passwords_Microsoft.txt

Filesize
2B

MD5
e1c06d85ae7b8b032bef47e42e4c08f9

SHA1
71853c6197a6a7f222db0f1978c7cb232b87c5ee

SHA256
75a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070

SHA512
016ba8c4cfde65af99cb5fa8b8a37e2eb73f481b3ae34991666df2e04feb6c038666ebd1ec2b6f623967756033c702dde5f423f7d47ab6ed1827ff53783731f7

Download Submit