SYMBOLCOMMON_NAMEaka. SYNONYMS
win.luca_stealer (Back to overview)

Luca Stealer


According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.

This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.

This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.

References
2022-08-18BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220818:luca:4650d1f, author = {The BlackBerry Research & Intelligence Team}, title = {{Luca Stealer Targets Password Managers and Cryptocurrency Wallets}}, date = {2022-08-18}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets}, language = {English}, urldate = {2022-08-22} } Luca Stealer Targets Password Managers and Cryptocurrency Wallets
Luca Stealer
Yara Rules
[TLP:WHITE] win_luca_stealer_auto (20230407 | Detects win.luca_stealer.)
rule win_luca_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.luca_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { eb21 832300 488bce 488bd7 e8???????? 448bc8 4c8bc3 }
            // n = 7, score = 100
            //   eb21                 | dec                 ecx
            //   832300               | mov                 dword ptr [ebp + 0xb0], edi
            //   488bce               | dec                 ecx
            //   488bd7               | lea                 eax, [ebp + 0x860]
            //   e8????????           |                     
            //   448bc8               | dec                 eax
            //   4c8bc3               | mov                 dword ptr [esp + 0x38], eax

        $sequence_1 = { ff15???????? 488bf0 4885c0 744e 488b3d???????? 488bd8 eb39 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf0               | test                ecx, ecx
            //   4885c0               | jne                 0x263
            //   744e                 | dec                 eax
            //   488b3d????????       |                     
            //   488bd8               | lea                 edx, [0x252ee2]
            //   eb39                 | dec                 esp

        $sequence_2 = { e9???????? 488d5c2440 4889d9 4c89fa 4d89f0 e8???????? 488b03 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d5c2440           | dec                 eax
            //   4889d9               | mov                 edi, dword ptr [esp + 0x68]
            //   4c89fa               | jne                 0x1e65
            //   4d89f0               | dec                 eax
            //   e8????????           |                     
            //   488b03               | lea                 eax, [esp + 0x70]

        $sequence_3 = { fe4330 4889d9 e8???????? 4889c6 48897c2460 4c89642468 0f28842410020000 }
            // n = 7, score = 100
            //   fe4330               | movaps              xmm0, xmmword ptr [esp + 0x40]
            //   4889d9               | movaps              xmmword ptr [esp + 0xc0], xmm0
            //   e8????????           |                     
            //   4889c6               | dec                 eax
            //   48897c2460           | mov                 eax, dword ptr [esp + 0x50]
            //   4c89642468           | dec                 eax
            //   0f28842410020000     | mov                 dword ptr [esp + 0xd0], eax

        $sequence_4 = { e8???????? ffc7 488d5b10 413b7e14 7cec 498bce e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   ffc7                 | dec                 ecx
            //   488d5b10             | add                 esi, 8
            //   413b7e14             | inc                 esp
            //   7cec                 | cmp                 edi, dword ptr [edi + 0x21c]
            //   498bce               | jl                  0xaa9
            //   e8????????           |                     

        $sequence_5 = { ff4024 488b0b 397924 7506 ff4128 488b0b 397920 }
            // n = 7, score = 100
            //   ff4024               | jmp                 0x177
            //   488b0b               | dec                 esp
            //   397924               | mov                 ecx, ebp
            //   7506                 | dec                 ebp
            //   ff4128               | mov                 eax, esp
            //   488b0b               | mov                 edx, 0x2c
            //   397920               | dec                 eax

        $sequence_6 = { e8???????? 4883655800 488b4510 8a8c2480000000 888c24b0000000 8b7c2470 488b5c2458 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4883655800           | inc                 esp
            //   488b4510             | mov                 ecx, dword ptr [ebp - 0x40]
            //   8a8c2480000000       | dec                 eax
            //   888c24b0000000       | arpl                bx, ax
            //   8b7c2470             | dec                 ecx
            //   488b5c2458           | mov                 ebx, ebx

        $sequence_7 = { eb3f 4d85c9 7405 448b0a eb03 448bcb 488b4c2448 }
            // n = 7, score = 100
            //   eb3f                 | xor                 eax, eax
            //   4d85c9               | test                al, al
            //   7405                 | dec                 eax
            //   448b0a               | mov                 dword ptr [esp + 0x28], esi
            //   eb03                 | dec                 esp
            //   448bcb               | mov                 ecx, esp
            //   488b4c2448           | dec                 eax

        $sequence_8 = { f348a5 488d8c24400f0000 e8???????? 4c89ac24400f0000 b90f000000 488dbc24480f0000 4889ee }
            // n = 7, score = 100
            //   f348a5               | mov                 eax, dword ptr [edi + 0x98]
            //   488d8c24400f0000     | mov                 edx, dword ptr [ebp - 0x58]
            //   e8????????           |                     
            //   4c89ac24400f0000     | dec                 ecx
            //   b90f000000           | mov                 ecx, esi
            //   488dbc24480f0000     | inc                 ecx
            //   4889ee               | mov                 ebx, dword ptr [esi + 0x98]

        $sequence_9 = { eb07 c686b80100000b 33c0 488b9c2498000000 4883c450 415f 415e }
            // n = 7, score = 100
            //   eb07                 | inc                 ecx
            //   c686b80100000b       | pop                 esi
            //   33c0                 | pop                 edi
            //   488b9c2498000000     | pop                 esi
            //   4883c450             | dec                 eax
            //   415f                 | mov                 ebx, dword ptr [esp + 0x570]
            //   415e                 | dec                 eax

    condition:
        7 of them and filesize < 9285632
}
Download all Yara Rules