2024-09-03 LUXY Ransomware / Stealer Sample
2024-09-03 K7 Security Labs: Luxy: A Stealer and a Ransomware in one
- The sample is a .NET 32-bit executable, enforcing single-instance execution via a mutex and ensuring network connectivity before proceeding. It also implements anti-VM checks using System UUIDs, process names, and other system identifiers to evade sandbox environments.
- Browser Data Extraction: Utilizes methods like GETENCRYPTIONKEY to extract and decrypt stored passwords and cookies from various browsers.
- Cryptocurrency Wallet Theft: Targets wallets such as Zcash, Ethereum, and others, copying wallet files to a text file for exfiltration.
- Session File Theft: Extracts Minecraft session files, logging them in a source.txt file, potentially compromising user authentication.
- Roblox Cookie Theft: Steals cookies from the registry and browsers using PowerShell commands.
- File Encryption: Deploys AES256 encryption on all files in the malware execution path, renaming files post-encryption. The encryption method uses a 128-bit key and IV, padding the plaintext to meet AES block size requirements.
- Ransom Note: After encryption, a ransom note is dropped, informing the victim of the encryption and providing instructions to obtain the decryption key.
The Ransom note reads:
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
To get this software and key you need join our server discord:
discord.gg/
Personal ID:
File Information
a2bc9b467f331a26b33cfd70f7bf12c9e2e6b3ebc8d3749c12a7eedf507e9323
09b5f5200e59d3a4623d739661ce9832
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.