Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
08/04/2025, 07:23
General
-
Target
2025-04-08_2f14d6dd2298a92af1b883639fed0e2c_black-basta_luca-stealer.exe
-
Size
4.3MB
-
MD5
2f14d6dd2298a92af1b883639fed0e2c
-
SHA1
838f5d270213f02b55cd40c566ba262bccc18a66
-
SHA256
99d036951078089b1f7346cf18b19bffa75fe84c1ca61507b86f811e92644c0e
-
SHA512
4c007e574610a733e36c735722f8e10ed9859b124514815a177795afb4a3f4814531c29a41a09976d8879e926a15117a7de889851ef28ca2900e826a31b62fce
-
SSDEEP
98304:c7rZW1xfGXRRyKVdRQlIDcfkHUI8cJYNx29nYIrMNctNZWChP9:cM1xfeXKQcfkH8cYNfIOctNL1
Malware Config
Signatures
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
Rms family
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 16 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-08_2f14d6dd2298a92af1b883639fed0e2c_black-basta_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-08_2f14d6dd2298a92af1b883639fed0e2c_black-basta_luca-stealer.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\1bat.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\1.sfx.exe1.sfx.exe -p123 -dc:\3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\1.exe"C:\1.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\System\install.vbs"5⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\System\install.bat" "6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rutserv.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im rfusclient.exe7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKLM\SYSTEM\Remote Manipulator System" /f7⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"7⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /silentinstall7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /firewall7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\System\rutserv.exerutserv.exe /start7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
-
C:\Program Files (x86)\System\rutserv.exe"C:\Program Files (x86)\System\rutserv.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Program Files (x86)\System\rfusclient.exe"C:\Program Files (x86)\System\rfusclient.exe" /tray2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD521e526167230e72dc0a89ad2d3904026
SHA147a553ea64603ee1206b47461c17636f827ae903
SHA256ace046cf6dcf04f651f12015482df52e4cbf480c8d05225adccf5d5892e491bf
SHA5122880e9c7ab55982213995e09d4f6407516dcd867c02145db73027a9547cc23c5e8008cc2d66933d754b6de1fcab297cd98671f1e410e2498116565a97a2d8979
-
Filesize
4.2MB
MD5e0687547b0f435233f0c3f9262d8539f
SHA18c5e05af2a778709d4ecf23a45472418a065d1d0
SHA256cc3460e25abaa7fac19bf1479e3a6b6fbf470db615c1b5063d80ba40cf64e6a6
SHA51276e4c3c2262cbdc8be574a5ce645edc0bade535978af53c7f8ed8ab64681c0eee8ca5f08b2cecaf1c8e9b7ff362b1916305475f8e88193d35f58acb06d4aec1e
-
Filesize
21B
MD5fee0aa6ca4a2cf3261ef4355e5eaad3e
SHA17ec388fb3b5df4ab9cbe7690a3e90f3fd4bb3042
SHA256c0d81ffe9fae212d837bf8b4357075f3ffb83508f174c2a7dec0972f48b5865f
SHA512913eba104ccad43e42998ef7c8b06c2d1160e6deeeb03ed5694ad4c304491f364bee8a7840d977ed1a90551fff82e167d2b9e082a1b0aae7085a1e110472678f
-
Filesize
480B
MD599db27d776e103cad354b531ee1f20b9
SHA10b82d146df8528f66d1d14756f211fd3a8b1b91a
SHA256240020a1a1941d1455135b5cb134e502a13b148be16cbb1552482aa03c29f8f3
SHA512bc2ed33495c0a752397b2f1b9b7ba65f94ea5be82dde74c618342c83b68f1b92a4783b672cd427843533799e1af0875e0fd000b12236852e9e2fa93005d7ac69
-
Filesize
117B
MD565fc32766a238ff3e95984e325357dbb
SHA13ac16a2648410be8aa75f3e2817fbf69bb0e8922
SHA256a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420
SHA512621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608
-
Filesize
11KB
MD5a69bf7aca8b78f60cb1009034b42f533
SHA1fbc9e30bc30d6eb4f5069f1c896b5b2e418b6c86
SHA2563d8bfe245670be69bafbaf3e90124c04577e9e31a811957ab89f37341dcbe151
SHA512d364d3455e78d4ec9a420104c179fdabe658e943a8168034f85df3ec7f0afce2f785f8ec5ed96f79563acb2e061bf4ed7a4941155c5abf7bafb9846ff80c7f9a
-
Filesize
1.5MB
MD5b8667a1e84567fcf7821bcefb6a444af
SHA19c1f91fe77ad357c8f81205d65c9067a270d61f0
SHA256dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9
SHA512ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
155KB
MD588318158527985702f61d169434a4940
SHA13cc751ba256b5727eb0713aad6f554ff1e7bca57
SHA2564c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74
SHA5125d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff
-
Filesize
593KB
MD56298c0af3d1d563834a218a9cc9f54bd
SHA10185cd591e454ed072e5a5077b25c612f6849dc9
SHA25681af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172
SHA512389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB