lucastealer | aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b

General

Target

aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe
Size

1.4MB
MD5

ac12bfba4cb13f6a276b3827d579df2c
SHA1

72d2150dc185c8535c232ab5f9a801597f032c94
SHA256

aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b
SHA512

5f35bb387ca6fe4dae991551a2ede965e80721ae7ac63aa8fc501baabc56bec1bb9afa163ad6f5ff8905211cf8e95dd20e11626f27081219e7dbfd1decf3d0bc
SSDEEP

24576:tlKsg4lu6ryQLgQ9+UMwwKMebhkY5UnML5ztunJOZI0sPl0898NCusBVFpbJU7rI:tlKIu6rLP9+UMn8hkY2VJOI06XEEBVvU

Score

10^/10

lucastealer credential_access execution spyware stealer upx

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/408-176-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp	family_lucastealer
behavioral1/memory/408-179-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp	family_lucastealer

Lucastealer family
lucastealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/408-0-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp	upx
behavioral1/memory/408-176-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp	upx
behavioral1/memory/408-179-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1316	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	powershell.exe
1316	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1316	408	aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe	90
PID 408 wrote to memory of 1316	408	aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe	90

C:\Users\Admin\AppData\Local\Temp\aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe
"C:\Users\Admin\AppData\Local\Temp\aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LqUl5sgiBedcqdGCbUyfEKpXqynogu\sensfiles.zip

Filesize
4.7MB

MD5
be5810686e5f4d16c51df4bfd4196642

SHA1
a6777f935414dc25570bbc88b022e9a6f4e71dfa

SHA256
c05535eded1f234c36b75f5ff35d16b2dc40fe750a75db60dd940369e75f2953

SHA512
d0e8de0a40988630b81d823f13b9169b48485245d7af196bd9191093d58a7e61559914b865483f09320f2ead2eadececd58696cecf2255d3e2e3a7b055f72753

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m0lwjpmg.53f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bravesoftware_default_login_data

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bravesoftware_default_webdata

Filesize
130KB

MD5
446201d12119966f850d9c7d00436770

SHA1
cf3cc010ed95cb60044303b23e9d2f28dca81cc4

SHA256
44721c8f186f486e5685bfd14472f53b2bc5b68e258be80a5e0ecaabc43c94f4

SHA512
b5eaf0d9c3f258802fbab3e5a581a271389dcae2a9cac1a216a58d1e77ebda86bcc4acaf854dd139e1180385e1b88b07ca431c4be37f13da4d3ce57c69a23def

Download Submit
C:\Users\Admin\AppData\Local\Temp\bravesoftware_network_cookies

Filesize
20KB

MD5
febe8b30c72b9ed5786ae265ebaf844a

SHA1
010452344e00fcf8609b9df083803311efe683e9

SHA256
72d049174f8bb874a5db67735ce76cab400f25a72391ec557ef2720785b4c4ac

SHA512
01863fd726d2bb344f368673a31df809a58c810940200a8cf02d1be09ce92f1d097419fffabbada9651d2977948111e0916e2012d92974f96ce7c942ef01732e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mail.ru_default_login_data

Filesize
56KB

MD5
1c832d859b03f2e59817374006fe1189

SHA1
a4994a54e9f46a6c86ff92280c6dabe2bcd4cc42

SHA256
bb923abf471bb79086ff9ace293602e1ad882d9af7946dda17ff1c3a7e19f45b

SHA512
c4d3be414fa5dd30151cde9f6d808d56c26b031ff3f6446d21a15d071053787b6ba337b12909a56af7bb420f858dba5213f08e64ca9f836f52c98a18762b4bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mail.ru_default_webdata

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mail.ru_network_cookies

Filesize
20KB

MD5
bf0586f8ed0cd60fbcf52c33c7d31f88

SHA1
1fa7dd05881b51cbcd2ceeeb9d1c5150af1cffe8

SHA256
b9184d4e6f0e9af36c294b41051e742173906090320ef79bde106544615e62b6

SHA512
e82c7e890ee6575a9f11de5eb2d9479fb33e11ca9e0a70a2eb1a498712dbce2b8d629d8e69e7df34ba4029aa91735217ae208920719c7baf4083862c2b93635d

Download Submit
memory/408-0-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp

Filesize
3.1MB

Download
memory/408-176-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp

Filesize
3.1MB

Download
memory/408-179-0x00007FF7BC7A0000-0x00007FF7BCABF000-memory.dmp

Filesize
3.1MB

Download
memory/1316-17-0x00007FFBB4C80000-0x00007FFBB5741000-memory.dmp

Filesize
10.8MB

Download
memory/1316-13-0x00007FFBB4C80000-0x00007FFBB5741000-memory.dmp

Filesize
10.8MB

Download
memory/1316-12-0x00007FFBB4C80000-0x00007FFBB5741000-memory.dmp

Filesize
10.8MB

Download
memory/1316-11-0x0000014317B90000-0x0000014317BB2000-memory.dmp

Filesize
136KB

Download
memory/1316-1-0x00007FFBB4C83000-0x00007FFBB4C85000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing