Luca Stealer (Malware Family)

Luca Stealer

VTCollection

According to PCRisk, The Luca stealer can extract a variety of information from compromised machines. It targets data related to the following: operating system, device name, CPUs, desktop environment, network interface, user account name, preferred system language, running processes, etc.

This malicious program can steal information from over thirty Chromium-based browsers. From these applications, Luca can obtain Internet cookies, account log-in credentials (usernames/passwords), and credit card numbers. Additionally, the stealer can extract data from password manager and cryptowallet browser extensions compatible with over twenty browsers.

This malware also targets various messaging applications like Telegram, Discord, ICQ, Skype, Element, etc. It likewise aims to acquire information from gaming-related software such as Steam and Uplay (Ubisoft Connect). Furthermore, some versions of Luca can take screenshots and download the files stored on victims' devices.

References

2022-08-18 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Luca Stealer Targets Password Managers and Cryptocurrency Wallets
Luca Stealer

Yara Rules

[TLP:WHITE] win_luca_stealer_auto (20260504 | Detects win.luca_stealer.)

rule win_luca_stealer_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.luca_stealer."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffca 4889f9 41b805000000 e8???????? 488d0d7f3d2a00 31c0 4883f813 }
            // n = 7, score = 100
            //   ffca                 | mov                 byte ptr [ecx], 0x22
            //   4889f9               | inc                 ecx
            //   41b805000000         | inc                 ecx
            //   e8????????           |                     
            //   488d0d7f3d2a00       | mov                 al, byte ptr [ecx]
            //   31c0                 | test                al, al
            //   4883f813             | jne                 0x6b7

        $sequence_1 = { e8???????? b900040000 4885c9 7411 488903 48895308 4883c310 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   b900040000           | cmp                 byte ptr [edi + 0xc], 1
            //   4885c9               | mov                 ebp, eax
            //   7411                 | test                eax, eax
            //   488903               | jne                 0x1e67
            //   48895308             | mov                 ecx, dword ptr [esp + 0x30]
            //   4883c310             | dec                 eax

        $sequence_2 = { e8???????? 498bcc 8bd8 e8???????? 448ba42488000000 85db 790e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   498bcc               | je                  0xb3e
            //   8bd8                 | dec                 ecx
            //   e8????????           |                     
            //   448ba42488000000     | mov                 esi, dword ptr [ebp + 0x390]
            //   85db                 | inc                 ecx
            //   790e                 | mov                 esi, 1

        $sequence_3 = { e9???????? 48895c2408 4889742410 57 4883ec20 488b5930 488bf9 }
            // n = 7, score = 100
            //   e9????????           |                     
            //   48895c2408           | dec                 eax
            //   4889742410           | lea                 edx, [0x24d15a]
            //   57                   | inc                 ebp
            //   4883ec20             | mov                 eax, ebp
            //   488b5930             | dec                 eax
            //   488bf9               | lea                 ecx, [0x1ccfb9]

        $sequence_4 = { ff15???????? 33f6 48894310 4885c0 0f844e020000 488d4db0 4533c9 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   33f6                 | and                 ecx, ecx
            //   48894310             | mov                 ecx, dword ptr [ebp + 0x150]
            //   4885c0               | neg                 ecx
            //   0f844e020000         | neg                 ecx
            //   488d4db0             | dec                 eax
            //   4533c9               | lea                 ecx, [esp + 0x40]

        $sequence_5 = { e9???????? 48898fd0020000 48898fd8020000 388f2c020000 745f 488daf30020000 488bcd }
            // n = 7, score = 100
            //   e9????????           |                     
            //   48898fd0020000       | add                 edx, ecx
            //   48898fd8020000       | mov                 eax, dword ptr [esp + 0x30]
            //   388f2c020000         | dec                 eax
            //   745f                 | bsf                 edx, eax
            //   488daf30020000       | dec                 eax
            //   488bcd               | shr                 edx, 3

        $sequence_6 = { c1e804 22c3 8887560e0000 f6c110 7406 83e1ef 83c902 }
            // n = 7, score = 100
            //   c1e804               | lea                 ecx, [0x2db86f]
            //   22c3                 | dec                 eax
            //   8887560e0000         | mov                 dword ptr [esp + 0x28], eax
            //   f6c110               | mov                 edx, 0x19
            //   7406                 | ud2                 
            //   83e1ef               | dec                 eax
            //   83c902               | sub                 esp, 0x28

        $sequence_7 = { f348a5 837d0003 4889e9 0f84330e0000 4889ce e8???????? 48c70603000000 }
            // n = 7, score = 100
            //   f348a5               | dec                 esp
            //   837d0003             | lea                 eax, [ecx + eax]
            //   4889e9               | movdqu              xmmword ptr [ecx], xmm0
            //   0f84330e0000         | dec                 eax
            //   4889ce               | cmp                 eax, 0x10
            //   e8????????           |                     
            //   48c70603000000       | jle                 0x17e0

        $sequence_8 = { e8???????? 4885c0 0f85c5210000 488d4c2460 4889da e8???????? 48837c246000 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   0f85c5210000         | mov                 dword ptr [ebx + 0x20], eax
            //   488d4c2460           | dec                 eax
            //   4889da               | test                eax, eax
            //   e8????????           |                     
            //   48837c246000         | je                  0x2f1

        $sequence_9 = { 8bd8 488dbeb8020000 740d 834f1002 eb07 488dbeb8020000 85c0 }
            // n = 7, score = 100
            //   8bd8                 | cvttss2si           ebx, xmm1
            //   488dbeb8020000       | inc                 ecx
            //   740d                 | ucomiss             xmm1, xmm0
            //   834f1002             | movups              xmm2, xmmword ptr [ecx + 0x10]
            //   eb07                 | mov                 edx, 0x7fffffff
            //   488dbeb8020000       | mov                 eax, dword ptr [ebp + 0xa0]
            //   85c0                 | inc                 ecx

    condition:
        7 of them and filesize < 9285632
}

Download all Yara Rules

Luca Stealer Propose Change

References

Yara Rules

Luca Stealer