Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe
Analysis ID:822206
MD5:cd12cb026f70700b6d7d3122360c52e8
SHA1:b944514f2b56e27a9b5e26316f72fd9fec8aa94c
SHA256:70805738871f24f390c7b1e62e6b48bc4850399992d8b62bba3160550a0a3655
Tags:exeRustyStealer
Infos:

Detection

Luca Stealer
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Luca Stealer
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe (PID: 6044 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe MD5: CD12CB026F70700B6D7D3122360C52E8)
    • powershell.exe (PID: 1304 cmdline: powershell.exe" -NoProfile -NonInteractive -NoLogo -Command "Get-Culture | Select -ExpandProperty DisplayName MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 url": "https://api.telegram.org/bot5749635914:AAHO1FmA3UVCNqptBOADqQF-cFGUoMOYe6g"}
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000003.271121352.000001C7F3912000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
      00000000.00000003.271472602.000001C7F3912000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
        00000000.00000002.272943427.00007FF768DC0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
          00000000.00000000.245071773.00007FF768DC0000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
            Process Memory Space: SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe PID: 6044JoeSecurity_LucaStealerYara detected Luca StealerJoe Security
              SourceRuleDescriptionAuthorStrings
              0.0.SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe.7ff768b70000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
                0.2.SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exe.7ff768b70000.0.unpackJoeSecurity_LucaStealerYara detected Luca StealerJoe Security
                  No Sigma rule has matched
                  No Snort rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeReversingLabs: Detection: 23%
                  Source: SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeVirustotal: Detection: 16%Perma Link
                  Source: SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeMalware Configuration Extractor: Luca Stealer {"C2 url": "https://api.telegram.org/bot5749635914:AAHO1FmA3UVCNqptBOADqQF-cFGUoMOYe6g"}
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768C7C0A0 BCryptGenRandom,0_2_00007FF768C7C0A0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768B8E216 CryptUnprotectData,GetLastError,0_2_00007FF768B8E216
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768C75B40 BCryptOpenAlgorithmProvider,BCryptCloseAlgorithmProvider,BCryptGenRandom,SetLastError,GetFullPathNameW,GetLastError,GetLastError,memcmp,HeapFree,HeapFree,GetLastError,memcpy,HeapFree,0_2_00007FF768C75B40
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768BFB06A BCryptGenRandom,BCryptGenRandom,0_2_00007FF768BFB06A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768BAF15D BCryptGenRandom,BCryptGenRandom,HeapFree,0_2_00007FF768BAF15D
                  Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.3:49696 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49699 version: TLS 1.2
                  Source: SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.308647.10806.1440.exeCode function: 0_2_00007FF768C67140 memset,FindFirstFileW,FindClose,CloseHandle,HeapFree,HeapFree,HeapFree,0_2_00007FF768C67140

                  Networking

                  barindex
                  Source: unknown