Luca Stealer (Malware Family)

Luca Stealer

VTCollection

According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.

This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.

This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.

References

2022-08-18 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Luca Stealer Targets Password Managers and Cryptocurrency Wallets
Luca Stealer

Yara Rules

[TLP:WHITE] win_luca_stealer_auto (20230808 | Detects win.luca_stealer.)

rule win_luca_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.luca_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 488bf8 81e7ffffff3f 498b4e60 488b5910 4885db 7452 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bf8               | dec                 eax
            //   81e7ffffff3f         | lea                 eax, [esi + ecx]
            //   498b4e60             | dec                 eax
            //   488b5910             | mov                 dword ptr [esp + 0x188], eax
            //   4885db               | mov                 eax, 0xb8
            //   7452                 | dec                 eax

        $sequence_1 = { f645ef02 741d 807df101 7417 b201 488d4de7 e8???????? }
            // n = 7, score = 100
            //   f645ef02             | dec                 eax
            //   741d                 | mov                 ecx, edi
            //   807df101             | mov                 ebx, eax
            //   7417                 | test                esi, esi
            //   b201                 | jne                 0xddc
            //   488d4de7             | dec                 ebp
            //   e8????????           |                     

        $sequence_2 = { eb06 4531c0 4889d0 48c7837802000002000000 44888380020000 c6838102000000 48898388020000 }
            // n = 7, score = 100
            //   eb06                 | mov                 dword ptr [eax], ebp
            //   4531c0               | inc                 ecx
            //   4889d0               | cmp                 byte ptr [esp], 0xb2
            //   48c7837802000002000000     | jne    0x120
            //   44888380020000       | dec                 eax
            //   c6838102000000       | test                ebp, ebp
            //   48898388020000       | dec                 eax

        $sequence_3 = { e8???????? 498b0f 498b4708 4983670800 4885c0 740f 4883c420 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   498b0f               | lea                 eax, [edi + 1]
            //   498b4708             | mov                 dword ptr [esp + 0x28], eax
            //   4983670800           | mov                 edx, 0x86
            //   4885c0               | inc                 esp
            //   740f                 | mov                 eax, dword ptr [esp + 0x44]
            //   4883c420             | inc                 ebp

        $sequence_4 = { ff15???????? 894530 85c0 0f842b520000 488dbd501f0000 8b0f e8???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   894530               | dec                 ebp
            //   85c0                 | mov                 eax, dword ptr [edi + 0x10]
            //   0f842b520000         | xor                 esi, esi
            //   488dbd501f0000       | jmp                 0x1dd
            //   8b0f                 | dec                 esp
            //   e8????????           |                     

        $sequence_5 = { e8???????? 85c0 0f85be000000 488bcb e8???????? 488b8798090000 498bce }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | lea                 esi, [0x286b3b]
            //   0f85be000000         | dec                 eax
            //   488bcb               | mov                 dword ptr [esp + 0x20], esi
            //   e8????????           |                     
            //   488b8798090000       | dec                 eax
            //   498bce               | lea                 edx, [0x286b28]

        $sequence_6 = { e8???????? 85c0 740c 488b0b 8a0439 2c3a 3c01 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   85c0                 | xor                 edi, edi
            //   740c                 | cmp                 al, 0x22
            //   488b0b               | jne                 0x2f8e
            //   8a0439               | dec                 eax
            //   2c3a                 | inc                 dword ptr [ebx + 0x10]
            //   3c01                 | dec                 eax

        $sequence_7 = { e9???????? 488d3515b8d8ff eb03 4d03fd 410fb607 4484ac30009e4100 75ef }
            // n = 7, score = 100
            //   e9????????           |                     
            //   488d3515b8d8ff       | dec                 eax
            //   eb03                 | mov                 esi, eax
            //   4d03fd               | dec                 eax
            //   410fb607             | mov                 ebx, edx
            //   4484ac30009e4100     | dec                 eax
            //   75ef                 | test                edx, edx

        $sequence_8 = { e9???????? b009 eb4f 488b842490000000 66c7000109 e9???????? 488db424e0000000 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   b009                 | mov                 eax, dword ptr [esp + 0x38]
            //   eb4f                 | jmp                 0x214
            //   488b842490000000     | dec                 eax
            //   66c7000109           | test                edi, edi
            //   e9????????           |                     
            //   488db424e0000000     | je                  0x211

        $sequence_9 = { eb86 e8???????? 0f0b 4157 4156 4155 4154 }
            // n = 7, score = 100
            //   eb86                 | mov                 ecx, 5
            //   e8????????           |                     
            //   0f0b                 | dec                 eax
            //   4157                 | mov                 ecx, esi
            //   4156                 | dec                 eax
            //   4155                 | mov                 edx, edi
            //   4154                 | dec                 esp

    condition:
        7 of them and filesize < 9285632
}

Download all Yara Rules

Luca Stealer Propose Change

References

Yara Rules

Luca Stealer