Analysis Overview
SHA256
92fb10cf31703cafd85fd04fedb97c6ea5df8844850cbd355ac7482bf7bb75f9
Threat Level: Known bad
The file 2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-22 11:17
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-22 11:17
Reported
2024-04-22 11:20
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Remcos
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.33.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 219.138.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.14.97.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| US | 8.8.8.8:53 | 200.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp |
Files
memory/4088-1-0x0000000000400000-0x000000000065D000-memory.dmp
memory/4088-3-0x0000000000400000-0x000000000065D000-memory.dmp
memory/4088-2-0x0000000000400000-0x000000000065D000-memory.dmp
memory/4088-4-0x0000000000400000-0x000000000065D000-memory.dmp
memory/3516-5-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/4088-7-0x0000000000400000-0x000000000065D000-memory.dmp
memory/3516-9-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-10-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-11-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-12-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-13-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-14-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-15-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-16-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-17-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-18-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-19-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-20-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-21-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-22-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-23-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-24-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-25-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-26-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-27-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-28-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-29-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-30-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-31-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-32-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-33-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-34-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-35-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-36-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-37-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-38-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-39-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-40-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-41-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-42-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-43-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-44-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-45-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-46-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-47-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-48-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-49-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-50-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-51-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-52-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-53-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-54-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-55-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-56-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-57-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-58-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-59-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-60-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-61-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-62-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-63-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-64-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-65-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-66-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-67-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-68-0x0000000000660000-0x00000000006D5000-memory.dmp
memory/3516-69-0x0000000000660000-0x00000000006D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 11:17
Reported
2024-04-22 11:20
Platform
win7-20240220-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Remcos
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-22_2c7e09a9d26e501906d4e75688b853d4_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp | |
| N/A | 127.0.0.1:2404 | tcp |
Files
memory/2860-1-0x0000000000400000-0x000000000065D000-memory.dmp
memory/2860-0-0x0000000000400000-0x000000000065D000-memory.dmp
memory/2860-2-0x0000000000400000-0x000000000065D000-memory.dmp
memory/2588-4-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2860-7-0x0000000000400000-0x000000000065D000-memory.dmp
memory/2588-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2588-13-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-9-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2588-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2588-14-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2860-3-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/2588-15-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-17-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-16-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-18-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-19-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-20-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-21-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-22-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-23-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-24-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-25-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-26-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-27-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-28-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-29-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-30-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-31-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-32-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-33-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-34-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-35-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-36-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-37-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-38-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-39-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-40-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-41-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-42-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-43-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-44-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-45-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-46-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-47-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-48-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-49-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-50-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-51-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-52-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-53-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-54-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-55-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-56-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-57-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-58-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-59-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-60-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-61-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-62-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-63-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-64-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-65-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-66-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-67-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-68-0x00000000001C0000-0x0000000000235000-memory.dmp
memory/2588-69-0x00000000001C0000-0x0000000000235000-memory.dmp