SYMBOLCOMMON_NAMEaka. SYNONYMS
win.luca_stealer (Back to overview)

Luca Stealer


A stealer written in Rust.

References
2022-08-18BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220818:luca:4650d1f, author = {The BlackBerry Research & Intelligence Team}, title = {{Luca Stealer Targets Password Managers and Cryptocurrency Wallets}}, date = {2022-08-18}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets}, language = {English}, urldate = {2022-08-22} } Luca Stealer Targets Password Managers and Cryptocurrency Wallets
Luca Stealer
Yara Rules
[TLP:WHITE] win_luca_stealer_auto (20221125 | Detects win.luca_stealer.)
rule win_luca_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.luca_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb0a f6471280 7504 6683e914 4d85f6 7416 6641395e10 }
            // n = 7, score = 100
            //   eb0a                 | inc                 ecx
            //   f6471280             | push                esi
            //   7504                 | ret                 
            //   6683e914             | mov                 ecx, 0x68
            //   4d85f6               | mov                 edx, 8
            //   7416                 | ud2                 
            //   6641395e10           | inc                 ecx

        $sequence_1 = { e9???????? 8b8388090000 899138090000 488b89e0080000 483bc1 7709 4c8d0d10742400 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   8b8388090000         | mov                 ecx, dword ptr [esp + 0x40]
            //   899138090000         | dec                 ecx
            //   488b89e0080000       | cmp                 edx, esi
            //   483bc1               | dec                 eax
            //   7709                 | cmovbe              edi, edx
            //   4c8d0d10742400       | shl                 al, 3

        $sequence_2 = { e8???????? 488bf8 4885c0 7464 6685f6 7857 66413b7734 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bf8               | dec                 eax
            //   4885c0               | mov                 eax, dword ptr [ebp + 0x20]
            //   7464                 | dec                 eax
            //   6685f6               | cmp                 eax, 2
            //   7857                 | jb                  0x1d9e
            //   66413b7734           | mov                 ebx, dword ptr [esp + 0x2c]

        $sequence_3 = { ff5060 0fbae00a 0f823b010000 488b06 ba02000000 488bce ff5028 }
            // n = 7, score = 100
            //   ff5060               | mov                 edx, dword ptr [esp + 0xa0]
            //   0fbae00a             | dec                 eax
            //   0f823b010000         | mov                 ecx, ebx
            //   488b06               | dec                 esp
            //   ba02000000           | mov                 edi, dword ptr [esp + 0xa8]
            //   488bce               | inc                 ebp
            //   ff5028               | xor                 edx, edx

        $sequence_4 = { c60100 e9???????? 4c8d05081b2800 eb1c 4c8d052f1b2800 ba08000000 48c7c1ffffffff }
            // n = 7, score = 100
            //   c60100               | inc                 ebp
            //   e9????????           |                     
            //   4c8d05081b2800       | mov                 ecx, edi
            //   eb1c                 | dec                 eax
            //   4c8d052f1b2800       | mov                 ecx, dword ptr [esp + 0x58]
            //   ba08000000           | test                esi, esi
            //   48c7c1ffffffff       | je                  0x675

        $sequence_5 = { e8???????? 48833b00 7411 4c8b6c2438 e9???????? 4c8b6c2438 eb53 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   48833b00             | dec                 edx
            //   7411                 | lea                 ecx, [esi + ecx]
            //   4c8b6c2438           | dec                 esp
            //   e9????????           |                     
            //   4c8b6c2438           | mov                 ecx, dword ptr [edx]
            //   eb53                 | dec                 esp

        $sequence_6 = { e9???????? 488b09 e8???????? 4c8bf0 4885c0 7415 41b801000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488b09               | mov                 edx, 8
            //   e8????????           |                     
            //   4c8bf0               | dec                 eax
            //   4885c0               | mov                 ecx, esi
            //   7415                 | dec                 ecx
            //   41b801000000         | mov                 dword ptr [esi + 8], edi

        $sequence_7 = { fec8 0fb6c0 88411f 8b9c81d8000000 4489442420 448bcb 448b8424d0000000 }
            // n = 7, score = 100
            //   fec8                 | mov                 edx, edi
            //   0fb6c0               | dec                 ebp
            //   88411f               | mov                 eax, edi
            //   8b9c81d8000000       | mov                 edx, dword ptr [esi + 0xc]
            //   4489442420           | dec                 eax
            //   448bcb               | mov                 ecx, ebx
            //   448b8424d0000000     | dec                 eax

        $sequence_8 = { ff9088000000 894308 85c0 7419 488d15bacb2400 498bce e8???????? }
            // n = 7, score = 100
            //   ff9088000000         | inc                 esp
            //   894308               | mov                 byte ptr [esp + 0x120], dh
            //   85c0                 | dec                 eax
            //   7419                 | mov                 eax, dword ptr [esp + 0x700]
            //   488d15bacb2400       | dec                 eax
            //   498bce               | test                eax, eax
            //   e8????????           |                     

        $sequence_9 = { f20f591d???????? 498b4610 418b0e 482bf0 f2410f5e5e08 f20f581d???????? f20f591d???????? }
            // n = 7, score = 100
            //   f20f591d????????     |                     
            //   498b4610             | dec                 eax
            //   418b0e               | add                 esi, 0x2b0
            //   482bf0               | dec                 eax
            //   f2410f5e5e08         | mov                 ecx, esi
            //   f20f581d????????     |                     
            //   f20f591d????????     |                     

    condition:
        7 of them and filesize < 9285632
}
Download all Yara Rules