remcos | f5a1bb35256d27e0b6a4fb1328092433a0063422d9aed3d633cbbe0bf26fcb0c

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
Size

3.8MB
MD5

3ef3af23bc1cf2e9387548202296bf78
SHA1

5b54b229bccc4071df18eed8d1910e11e8704fec
SHA256

f5a1bb35256d27e0b6a4fb1328092433a0063422d9aed3d633cbbe0bf26fcb0c
SHA512

47d80de4167ab270246a115a85f0b58c964bb9633b81934f6240e4a6804b190b9ce653cf8ca8d10dbdaf99f36b5d56f7dd07c275c89347da5ca0a8f74d952363
SSDEEP

98304:p3h6d68gwIteZNiiPwVpaOU/jIEeQfoR/IuOFVjUu5:pR668aaELeFIF0wu

Score

10^/10

remcos xred abillion+naira backdoor discovery execution macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
2392	powershell.exe
2804	powershell.exe
2932	powershell.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000016d9f-157.dat

Executes dropped EXE 4 IoCs

pid	Process
3044	._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
320	Synaptics.exe
2884	Synaptics.exe
1872	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2884	Synaptics.exe
2884	Synaptics.exe
2884	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2596 set thread context of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 320 set thread context of 2884	320	Synaptics.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
1620	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1224	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
2804	powershell.exe
2932	powershell.exe
2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
320	Synaptics.exe
320	Synaptics.exe
320	Synaptics.exe
320	Synaptics.exe
2412	powershell.exe
2392	powershell.exe
320	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	320	Synaptics.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
1224	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2804	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	31
PID 2596 wrote to memory of 2804	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	31
PID 2596 wrote to memory of 2804	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	31
PID 2596 wrote to memory of 2804	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	31
PID 2596 wrote to memory of 2932	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2596 wrote to memory of 2932	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2596 wrote to memory of 2932	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2596 wrote to memory of 2932	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	33
PID 2596 wrote to memory of 2972	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	34
PID 2596 wrote to memory of 2972	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	34
PID 2596 wrote to memory of 2972	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	34
PID 2596 wrote to memory of 2972	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	34
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2596 wrote to memory of 2872	2596	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	37
PID 2872 wrote to memory of 3044	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2872 wrote to memory of 3044	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2872 wrote to memory of 3044	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2872 wrote to memory of 3044	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	38
PID 2872 wrote to memory of 320	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	39
PID 2872 wrote to memory of 320	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	39
PID 2872 wrote to memory of 320	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	39
PID 2872 wrote to memory of 320	2872	2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe	39
PID 320 wrote to memory of 2412	320	Synaptics.exe	40
PID 320 wrote to memory of 2412	320	Synaptics.exe	40
PID 320 wrote to memory of 2412	320	Synaptics.exe	40
PID 320 wrote to memory of 2412	320	Synaptics.exe	40
PID 320 wrote to memory of 2392	320	Synaptics.exe	42
PID 320 wrote to memory of 2392	320	Synaptics.exe	42
PID 320 wrote to memory of 2392	320	Synaptics.exe	42
PID 320 wrote to memory of 2392	320	Synaptics.exe	42
PID 320 wrote to memory of 1620	320	Synaptics.exe	43
PID 320 wrote to memory of 1620	320	Synaptics.exe	43
PID 320 wrote to memory of 1620	320	Synaptics.exe	43
PID 320 wrote to memory of 1620	320	Synaptics.exe	43
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 320 wrote to memory of 2884	320	Synaptics.exe	46
PID 2884 wrote to memory of 1872	2884	Synaptics.exe	47
PID 2884 wrote to memory of 1872	2884	Synaptics.exe	47
PID 2884 wrote to memory of 1872	2884	Synaptics.exe	47
PID 2884 wrote to memory of 1872	2884	Synaptics.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2972
- C:\Users\Admin\AppData\Local\Temp\2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3044
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D26.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1620
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:1872

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.8MB

MD5
3ef3af23bc1cf2e9387548202296bf78

SHA1
5b54b229bccc4071df18eed8d1910e11e8704fec

SHA256
f5a1bb35256d27e0b6a4fb1328092433a0063422d9aed3d633cbbe0bf26fcb0c

SHA512
47d80de4167ab270246a115a85f0b58c964bb9633b81934f6240e4a6804b190b9ce653cf8ca8d10dbdaf99f36b5d56f7dd07c275c89347da5ca0a8f74d952363

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
40872613d5d49b10675f1bc2de46254a

SHA1
cbb0c0009b8ff94357ba170993cd24dab8222e4d

SHA256
70089c52c5e4f65c6390418a6705b19d187963785c120511308e7f6929a7c474

SHA512
00157c1f43ff108871eb1d72257864ab742dceb5cb8a7dcad542cad7f6c5cf9e1e4682a44da70b132dd48ac2e8d7ddd93189ec797574d35ca317487783fdf759

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
21KB

MD5
bf34662790cc4c611597e2d3c1445cf0

SHA1
ec47fa6b2be454abcdd9bc48b0df1940885e88c8

SHA256
e985a36ef66be5c4ef48358d601714556c4de8282fa146c5fd2a15f41893c4ce

SHA512
738419672d9a098ac50412238902450ae2967d2eed8c975ca7cd303c0db1a5da70295e9ef3c4ba8b2a4ff473f67a072d8223110d888640f141a392c66313097f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
25KB

MD5
a14af46b177bf915f25f501bba7a9a9b

SHA1
0ed772efdbce2057c43a37b07011373f76dafcbd

SHA256
e433ee233629e37c1fef76e65b0eb6b5081185f16a53270adf0e5798ff280b21

SHA512
c14ac926f3f1fb8fddfcdfab517569b99d61a010f2a7a78844320e667c7dd3c1e7b104665db425a9608a16a93e5cf5956491d3f6675dbcb837d7bde16637ee11

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
23KB

MD5
6ab3d6b4ce3e8c72c7da27b36557b8de

SHA1
da0a5625dbedc03a6c57043755ca5884f43f661f

SHA256
a0c8969f41eba5b599f0652a42b89ab7b4981d7548a59ca7324c68a93409518d

SHA512
2f92fdd13c482c8cfce907736b2282106cda9e6628df00f6b9baa28b8b1f1ab77539e43a6b3ae5a16bdb360f5bcbd3fbd530052b9baecba7f4a84d2f5728613f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
21KB

MD5
5952afb8bc2445e1e51efbb7f7832bbe

SHA1
6534a99bf59faf3034f6b27316649bbec06cfe99

SHA256
1bfa292a7ef0783ef698ae3e84f15f10dcce8520c70ccd4d36f48a9e6c8cbad9

SHA512
4ad0e72d76ea3603dbd2e69a88de399f86a79d70a82cefa0c82694dfc9bd6c46b2594fa11afe19af4afe725d4d241767e54ea4b180c70bcc3170a37a23b2aabf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PEqLF1k.xlsm

Filesize
26KB

MD5
68f00c1f22639d51531f78ba64eea9ec

SHA1
05370be8733c8b0507b4b98be6b5999216fea8e2

SHA256
79c43a5e5723777baaa1508d73f3f7959bacd2458c5ced9e9680c5f3644b2f42

SHA512
47b4193e04778f182cf67e113ffc154f3d44409171eaad3f3e1a1a4a92adbce6bbf45a07f3f9b6f1adf56d5144640e33dd4c4394c86b85d834d8d3497dfae800

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF892.tmp

Filesize
1KB

MD5
5fb6a0652b7d45085574a418df44d8a8

SHA1
d74e47d8da22f9c3f8780ca19f426e53303f7b96

SHA256
e265571eaa93cf7ced1d7ded82b61679c861b8b2cbd90b5d5149135b5d7c0c94

SHA512
90a8c52da6f9aaf3b3443b09a772e0c6308eee92c1fa40349808da91d0d1ff002fde4538dbaf94e5c7bf4b0fff8d267bf206dbab4f2498e13b895080b8a07203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b3f944974809c9dce4eaaa1978d4b823

SHA1
3705f7d5be51a825ef1a0b4813aa0a24a488d27d

SHA256
451e9cb973ec9f9f0b752d3ebcc8f727a0f7c2b21979a0fe1e1d55ea58c07719

SHA512
954811bccfe4dd88b6e7187a07516cb39b81ac08504b84c2eb44864875cf7aa4791e9bd4daeaf9c146ed1db4f1aa29a9a8bfd6ea728e6664faefae8542e796dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
20618332d84f492a8d42e66a1ea76eb2

SHA1
9e94933a0ed28ee17fe3cd2ecabe3518df6fe5be

SHA256
93c2ae553a8f056ecb3e49a1df1df8db0ccad7df944480d3239ab52a7ceab2f3

SHA512
8e3e6e4d286068dd04dac92160373b0f4650ff6e7ca99ada841a34302abb4798f29124499923cd3800c2145e41511498b37b7b08e9277a688d253ffc8fd26c1c

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-11-16_3ef3af23bc1cf2e9387548202296bf78_avoslocker_formbook_hijackloader_luca-stealer.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
memory/320-62-0x0000000000F80000-0x0000000001360000-memory.dmp

Filesize
3.9MB

Download
memory/1224-198-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1224-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2596-4-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/2596-6-0x00000000054F0000-0x000000000566E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-1-0x00000000013A0000-0x0000000001780000-memory.dmp

Filesize
3.9MB

Download
memory/2596-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/2596-36-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-2-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-3-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/2596-5-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2872-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-197-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-196-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-97-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-202-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2884-240-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download