Edit tour
Windows
Analysis Report
SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe
Overview
General Information
Detection
Luca Stealer
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe (PID: 6044 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.V ariant.Ted y.308647.1 0806.1440. exe MD5: CD12CB026F70700B6D7D3122360C52E8) - powershell.exe (PID: 1304 cmdline:
powershell .exe" -NoP rofile -No nInteracti ve -NoLogo -Command "Get-Cultu re | Selec t -ExpandP roperty Di splayName MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6032 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"C2 url": "https://api.telegram.org/bot5749635914:AAHO1FmA3UVCNqptBOADqQF-cFGUoMOYe6g"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security | ||
JoeSecurity_LucaStealer | Yara detected Luca Stealer | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Malware Configuration Extractor: |
Source: | Code function: | 0_2_00007FF768C7C0A0 | |
Source: | Code function: | 0_2_00007FF768B8E216 | |
Source: | Code function: | 0_2_00007FF768C75B40 | |
Source: | Code function: | 0_2_00007FF768BFB06A | |
Source: | Code function: | 0_2_00007FF768BAF15D |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | 0_2_00007FF768C67140 |
Networking |
---|
Source: |