lucastealer | aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b

General

Target

aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe
Size

1.4MB
MD5

ac12bfba4cb13f6a276b3827d579df2c
SHA1

72d2150dc185c8535c232ab5f9a801597f032c94
SHA256

aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b
SHA512

5f35bb387ca6fe4dae991551a2ede965e80721ae7ac63aa8fc501baabc56bec1bb9afa163ad6f5ff8905211cf8e95dd20e11626f27081219e7dbfd1decf3d0bc
SSDEEP

24576:tlKsg4lu6ryQLgQ9+UMwwKMebhkY5UnML5ztunJOZI0sPl0898NCusBVFpbJU7rI:tlKIu6rLP9+UMn8hkY2VJOI06XEEBVvU

Score

10^/10

lucastealer credential_access execution spyware stealer upx

Malware Config

Signatures

Luca Stealer
Info stealer written in Rust first seen in July 2022.
stealer lucastealer

Luca Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/5200-146-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp	family_lucastealer
behavioral2/memory/5200-149-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp	family_lucastealer

Lucastealer family
lucastealer
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5200-0-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp	upx
behavioral2/memory/5200-146-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp	upx
behavioral2/memory/5200-149-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp	upx

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 5200 wrote to memory of 2040	5200	aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe	80
PID 5200 wrote to memory of 2040	5200	aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe	80

C:\Users\Admin\AppData\Local\Temp\aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe
"C:\Users\Admin\AppData\Local\Temp\aa81e05891c90b33acbe6b5d98cb3687962c482f07c51e63a7e2a6a88a8c981b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5cmsa00.nwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\centbrowser_default_login_data

Filesize
40KB

MD5
dfd4f60adc85fc874327517efed62ff7

SHA1
f97489afb75bfd5ee52892f37383fbc85aa14a69

SHA256
c007da2e5fd780008f28336940b427c3bfd509c72a40bfb7759592149ff3606e

SHA512
d76f75b1b5b23aa4f87c53ce44c3d3b7e41a44401e53d89f05a114600ea3dcd8beda9ca1977b489ac6ea5586cf26e47396e92d4796c370e89fab0aa76f38f3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\centbrowser_default_webdata

Filesize
130KB

MD5
55f4988067bd752fa4630c49ea12e0ee

SHA1
cc8415aef53536c84454c74f2e96cf5ac7d541cc

SHA256
2120a546b1f56040897ad9c2aca413be86393b37ab9174f29f65fb24ffa7aaf4

SHA512
28ae34671be4d3667bde095aa3a97ae3e597eaf326db92777576a50defe6907f508efc2596f1c26387981135f6829462392518af617dd6ae2e1a5bb682c0debd

Download Submit
C:\Users\Admin\AppData\Local\Temp\centbrowser_network_cookies

Filesize
20KB

MD5
b9100f84900bf43da014190781dace82

SHA1
a12292980fa87277472e104ca016c27630b18e13

SHA256
7d1c6b9bd97dd52a92c489599c8ed529e4c8ade8c7f9b93b7d6662b7a2d5f327

SHA512
9d82b8c9e2810729bddd9c15ebb63db7ef525e87f64473683507721b0b561d18b4a0812bedb332c3cd5089587211c66cbb1fb833aef46366656e086d351d1b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\iu80BameO8oMrIcLUzpAJF5ZaNGJxU\sensfiles.zip

Filesize
2.1MB

MD5
ef21da40254fae4d265aca1356356dcc

SHA1
712709c4ba3c661b89067833fa71a2101268f0df

SHA256
4cbfc36bf14a2638f806ffdcab0c521d5541eae8e651bfd173f18ab9cb9c5718

SHA512
3b1c0c83311a6730d661ac578ba91a39c2f030a37a118f7dec54c328fbba0f3069fd7044abb03f52ed2611d2486de36d841d2bf6ee677b17d5505713cb4c81d6

Download Submit
memory/2040-10-0x00000249B6A90000-0x00000249B6AB2000-memory.dmp

Filesize
136KB

Download
memory/2040-13-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

Filesize
10.8MB

Download
memory/2040-17-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

Filesize
10.8MB

Download
memory/2040-12-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

Filesize
10.8MB

Download
memory/2040-11-0x00007FFA788B0000-0x00007FFA79372000-memory.dmp

Filesize
10.8MB

Download
memory/2040-1-0x00007FFA788B3000-0x00007FFA788B5000-memory.dmp

Filesize
8KB

Download
memory/5200-0-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp

Filesize
3.1MB

Download
memory/5200-146-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp

Filesize
3.1MB

Download
memory/5200-149-0x00007FF6795A0000-0x00007FF6798BF000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing