{ "id": "d2df2353-479e-437d-99dc-c1c2e38e1376", "created_at": "2026-04-06T00:08:34.146105Z", "updated_at": "2026-04-10T03:37:09.150192Z", "deleted_at": null, "sha1_hash": "7f25d58dd10e4f087156e17656c8ee608ec0561e", "title": "Luxy: A Stealer and a Ransomware in one", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 735488, "plain_text": "Luxy: A Stealer and a Ransomware in one\r\nPublished: 2024-09-03 · Archived: 2026-04-05 23:00:13 UTC\r\nRecently we came across a tweet about a malware, called Luxy, having both stealer and ransomware activities.\r\nThe stealer is similar to Umbral stealer that tries to collect user password, browser details using Telegram and the\r\nransomware encrypts all the files and leaves a ransomware note having the decryption key.\r\nFig 1: Die_Output\r\nThe sample being analyzed is a 32-bit executable file compiled with .NET(v4.0.30319).\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 1 of 11\n\nFig 2: Entry point\r\nInitially, the process being executed consists of three modules viz. BlockAvSites, Stealer and Ransomware. We\r\nwill look into each module in detail. \r\nFig 3: Checking network and VM\r\nThe process ensures a mutex is registered for single instance execution control. It proceeds only when it has\r\naccess to network connection, by trying to access the URL highlighted in Fig 4. \r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 2 of 11\n\nFig 4: Checking network is connected from the system\r\nFig 5: Virtual machine contain sub-modules\r\nChecks if the malware is executing in a VM using multiple factors like System UuID, Computer name, Username,\r\nrunning process, Debugger through various detection methods.\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 3 of 11\n\nFig 6: Script for checking System Uuid and Running Process\r\nSystemID process checks for current system UUIDand checks with the blacklisted UUIDlist, if it matches then\r\nkills the process. Similarly checks for the currently running process against a list of known monitoring tools in the\r\nsystem using GETPROCESSES windows API and kills if it matches.\r\nFig 7: List of blacklisted names, users, Uuid, Task\r\nFig 7 represents the Blacklisted UUID, Blacklisted computer names, Blacklisted Users, Blacklisted tasks to avoid\r\nmonitoring of the malware. If it matches with the names from the above list, then the malware terminates. Among\r\nthese blacklisted UUIDs and Blacklisted computer names are popular sandboxes.\r\nFig 8: Script contains AV list and changing of host file\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 4 of 11\n\nHere, they are trying to  prevent access to particular websites shown in the image by changing the hosts file,\r\nwhich maps the listed domains to 0.0.0.0. As a result, the content from these websites cannot be loaded.\r\nFig 9: List of Browsers\r\nFig 9 lists the browsers whose password and cookie information are stolen.\r\nFig 10: Script for collecting cookies of the browser\r\nThe script in Fig 10 is used to steal cookie’s encryption keys used in Chrome. The GETENCRYPTIONKEY\r\nmethod is used for extracting the encrypted key and decrypting it. Similar method is followed for other browsers\r\nalso.\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 5 of 11\n\nFig 11: Script for collecting password of the browser\r\nFig 11 shows the script to steal passwords from Chrome.\r\nFig 12: Script for stealing crypto currency wallet information\r\nIt then steals the crypto currency wallet information and stores them in source.txt file. The method tracks the\r\nnumber of files successfully copied.\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 6 of 11\n\nFig 13: Script containing for extracting details from crypto currency wallet\r\nIt then steals the crypto currency wallet information of Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum,\r\nElectrum, AtomicWallet, Guarda, and Coinomi. The malware tries to search for the crypto currency wallet\r\ninformation one by one and if it is found, it stores them as a text file.\r\nFig 14: Script for stealing Minecraft session\r\nThe StealMinecraftSessionFiles method is designed to copy Minecraft session files from a predefined list of paths\r\nto a specified destination directory, and stores them in the source.txt file. The method tracks thThey are trying to\r\ncopy Minecraft session files which contain sensitive information related to user authentication from their original\r\nlocations to a specified destination directory. It also logs the source path of each file to Source.txt. and they try to\r\nensure directories are cleaned up if copying fails using error handling, while tracking the number of successfully\r\ncollected files.e number of files successfully copied.\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 7 of 11\n\nFig 15: List of Minecraft sessions\r\nThe script shown in Fig 15 is used for stealing the minecraft session  information of Intent, Lunar, TLauncher,\r\nFeather, Meteor, Impact, Novoline, CheatBreakers, Microsoft Store, Rise, Rise (Intent), Paladium, PolyMC, and\r\nBadlion. The malware then tries to search for the crypto currency wallet information one by one and if found, it\r\nstores the same as a text file.\r\nFig 16: Robolox cookies \r\nThe RobloxCookieStealer is used for extracting Roblox cookies from the registry and from various browsers. It\r\ncollects cookies using the Get-ItemPropertyValue PowerShell command and also processes cookies from a set of\r\nbrowser cookie extraction tasks.\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 8 of 11\n\nFig 17: Script containing ransomware module\r\nFig 17 shows the script having the Ransomware module containing activities for encrypting all the files and\r\nleaving the ransomware note at the malware path.\r\nFig 18: Script for finding the sample executing path\r\nIt then extracts the path of the malware executed to list all the files in that directory and proceed for further\r\nprocess. It also checks for the extension of the files in the malware executing path.\r\nFig 19: Script for collecting all files of the malware executing path\r\nIt then retrieves all the files from the directory of the malware file path. \r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 9 of 11\n\nFig 20: Script for renaming the file extension\r\nIt then encrypts the file process using AES256 algorithm and changes the extension name of the file with the\r\nencrypted extension once the content is encrypted.\r\nFig 21: Script contains encryption method \r\nThe file uses AES encryption method for encrypting the files, Encrypt method configures AES encryption with a\r\n128-bit key and IV (initialization vector). While PERFORM CRYPTOGRAPHY handles the actual encryption\r\nusing a CryptoStream and returns the encrypted byte array. The encryption uses PaddingMode.Zeros, which pads\r\nthe plaintext data with zeros to ensure it meets the block size requirements of AES encryption.\r\nFig 22: Ransom note\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 10 of 11\n\nOnce files from all the folders are encrypted, it drops a .txt in the sample path which contains a ransomware note\r\nthat all the files are encrypted and also has contact for receiving the key to decrypt.\r\nWith the increasing risk of malware attacks, it’s important to take steps to protect your data. Using a reliable\r\nsecurity product like K7 Total Security and keeping it updated is crucial to defend against these threats.\r\nIOC\r\nHash Detection Name\r\n09B5F5200E59D3A4623D739661CE9832 Password-Stealer ( 005a3e671 )\r\nSource: https://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nhttps://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/luxy-a-stealer-and-a-ransomware-in-one/" ], "report_names": [ "luxy-a-stealer-and-a-ransomware-in-one" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434114, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7f25d58dd10e4f087156e17656c8ee608ec0561e.pdf", "text": "https://archive.orkl.eu/7f25d58dd10e4f087156e17656c8ee608ec0561e.txt", "img": "https://archive.orkl.eu/7f25d58dd10e4f087156e17656c8ee608ec0561e.jpg" } }