remcos | f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Size

9.7MB
MD5

5a6f38693f748bbc32b3068f72c93075
SHA1

8e80b4b3c3b313527a02ce59c9d8a3623986f2a9
SHA256

f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f
SHA512

074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5
SSDEEP

196608:qR668aaELjR668aaELtR668aaELbR668aaELxpFvqcA:qp8aaqp8aa0p8aaSp8aa4

Score

10^/10

remcos xred abillion+naira backdoor discovery execution persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2348	powershell.exe
2740	powershell.exe
2512	powershell.exe
2268	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2364	Synaptics.exe
1560	Synaptics.exe
856	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
1560	Synaptics.exe
1560	Synaptics.exe
1560	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 2364 set thread context of 1560	2364	Synaptics.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2212	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1600	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2740	powershell.exe
2348	powershell.exe
1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
2364	Synaptics.exe
2364	Synaptics.exe
2364	Synaptics.exe
2364	Synaptics.exe
2512	powershell.exe
2268	powershell.exe
2364	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2364	Synaptics.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2704	._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
1600	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2348	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	31
PID 1900 wrote to memory of 2348	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	31
PID 1900 wrote to memory of 2348	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	31
PID 1900 wrote to memory of 2348	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	31
PID 1900 wrote to memory of 2740	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	33
PID 1900 wrote to memory of 2740	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	33
PID 1900 wrote to memory of 2740	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	33
PID 1900 wrote to memory of 2740	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	33
PID 1900 wrote to memory of 2848	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 1900 wrote to memory of 2848	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 1900 wrote to memory of 2848	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 1900 wrote to memory of 2848	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	34
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 1900 wrote to memory of 2808	1900	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	37
PID 2808 wrote to memory of 2704	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 2808 wrote to memory of 2704	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 2808 wrote to memory of 2704	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 2808 wrote to memory of 2704	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	38
PID 2808 wrote to memory of 2364	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	39
PID 2808 wrote to memory of 2364	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	39
PID 2808 wrote to memory of 2364	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	39
PID 2808 wrote to memory of 2364	2808	2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe	39
PID 2364 wrote to memory of 2512	2364	Synaptics.exe	40
PID 2364 wrote to memory of 2512	2364	Synaptics.exe	40
PID 2364 wrote to memory of 2512	2364	Synaptics.exe	40
PID 2364 wrote to memory of 2512	2364	Synaptics.exe	40
PID 2364 wrote to memory of 2268	2364	Synaptics.exe	42
PID 2364 wrote to memory of 2268	2364	Synaptics.exe	42
PID 2364 wrote to memory of 2268	2364	Synaptics.exe	42
PID 2364 wrote to memory of 2268	2364	Synaptics.exe	42
PID 2364 wrote to memory of 2212	2364	Synaptics.exe	43
PID 2364 wrote to memory of 2212	2364	Synaptics.exe	43
PID 2364 wrote to memory of 2212	2364	Synaptics.exe	43
PID 2364 wrote to memory of 2212	2364	Synaptics.exe	43
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 2364 wrote to memory of 1560	2364	Synaptics.exe	46
PID 1560 wrote to memory of 856	1560	Synaptics.exe	47
PID 1560 wrote to memory of 856	1560	Synaptics.exe	47
PID 1560 wrote to memory of 856	1560	Synaptics.exe	47
PID 1560 wrote to memory of 856	1560	Synaptics.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp168D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2512
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2268
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp693E.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2212
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:856

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.7MB

MD5
5a6f38693f748bbc32b3068f72c93075

SHA1
8e80b4b3c3b313527a02ce59c9d8a3623986f2a9

SHA256
f36f8948667116064a7810b6a1971d5ebf49f225cd0c5a0d7b7def870f93e31f

SHA512
074dda5143fac0cbe0fa099dd4a2970ba3a6272a788b9df66387cb1caa7914843cd073df2e9274a4402f2fe5606ac164c8c71f3e35776454355bcde24a93ace5

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
268cef4dc410d5f0e8b6a14d9330cb5f

SHA1
d7a12caec62804936fef6ff5cb7dc0e1a677a65c

SHA256
c0595ade6d0b7d465b3b3af3733e6fe970d085179264deea5fdf2400cd865326

SHA512
928ee4edef0db924292ad48c80e46b898901c43e0c4922ae191e8e8baebae41e9a7b232ab4ab1ab8aa1f3d617533dcd6b1e40658b5478bbcc27342218b604a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YrVVWpi.xlsm

Filesize
24KB

MD5
f3f1327af1c008654282edeaf165cc08

SHA1
452b52fdd9852650ab0184da845d6d5db4ec7c91

SHA256
559a11ec58cce477969474265372933470a5c5a3df6972393850d0e91e64e693

SHA512
4d0467d7bee899f6649aa8a3c73bab66099103aed236eff4d049585dabbbde0c4bfe9196f3bdc4fd3941c566eb3d7bb293ad6dcab72736d2dd2cc9dd0a260cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YrVVWpi.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YrVVWpi.xlsm

Filesize
31KB

MD5
e494331fba13ba4eaee88d9e8c00f11e

SHA1
23f6e63fa807fef64c798f2b4c9edd07a960d23f

SHA256
07f51350bcde7a9497c9b109d93e3b7242c7142ae3e3bb5c7ebd2b804092fd91

SHA512
c731789df9dd9d0da4a51054083f12e28c0985001f472beedcdeec99a12d3d24e25cadc21a9678f49a060998ccd962bd55cd5576880dad1ad48cee9e380b3573

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YrVVWpi.xlsm

Filesize
26KB

MD5
19a640d33aa2d429a8600b5a23da6ccd

SHA1
5d5a8d02edca3409b8ffa0c707c115f621390f13

SHA256
474b3f31131b6a34a715e652b128a91e6c4d78547fded451d696d730ea5bef67

SHA512
313796f4dc8fbf1f900e66bc9ed72223a1cfdbf1cd95630dd2600f9b1a4787afd5a37c70309510526cb813a5aa55e78638198dc5353eda03005e64584c47ea19

Download Submit
C:\Users\Admin\AppData\Local\Temp\3YrVVWpi.xlsm

Filesize
26KB

MD5
541e666836f3d8d33f414365f9728cb1

SHA1
5c97ef92912643c05e824c6c52f0159809ccf5e3

SHA256
b7f76c947637353a21d9eb0737b2e91032423c9fabbf7f0b6d2164f037ca56e0

SHA512
427ee61968ee3f547aceaa725c1b71252ca06d9df23cff51334d0bc8124619967fd335429bde159e83bc18470490081318e5ace9cf691398b6034e5f1564bb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp168D.tmp

Filesize
1KB

MD5
1fae72122be7ed51c261cf8648a188c0

SHA1
5f29b533b4e04bd9f32e8df410443aad85ba6d66

SHA256
89f7ff3be8355ed44610649a04cf412a6c78d35d27d98b83f78d7c80e805fabe

SHA512
b88ccc3787fff223cb3af43b25acd802a4f8c1c1fc996404a5e9565c8d25cfd3651a37f06b952d10acc6c26987d11e25de93e315b1d5df976d6a24dc2f3efb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$3YrVVWpi.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LYL8QYHZK1HWPXOHYLP1.temp

Filesize
7KB

MD5
3d0386a711520ba3b9dce99679f882da

SHA1
c8b82f1055fca65246f4f9003017895b7af9f0cb

SHA256
0244e0e66b5a87b22616a0b8786335540fe5137202aea27381ea4ef6525c1d4a

SHA512
8c8e314a2b7f5f5a38d78b76a157b0ba908aaf7375c6dc1e59fbde67d9e559aa432e48051fb0206c30e88f2811fb161aa75d81e595960b19e538f6b94463cc45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b35cdcdb33ee785f40c661062c821602

SHA1
4972e2c88b467308ff6e83c8ff67776ccafec47f

SHA256
f41d0b170afcb5849cb707e82ff6a9d7722904c57369084cc122ad3a18136814

SHA512
68b8bcade720de1f1f841365521e08616451c0dab8f5dd125e1ec1885db3a0b32039ca415a659e5745074509f6877c885ea65ce1072dee1e31fba06e04c1c091

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-12-07_5a6f38693f748bbc32b3068f72c93075_formbook_luca-stealer_magniber.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
memory/1560-190-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1560-184-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1560-185-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1560-96-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1560-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1560-228-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1600-108-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1600-186-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1900-5-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-3-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/1900-4-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/1900-6-0x00000000059F0000-0x0000000005B6E000-memory.dmp

Filesize
1.5MB

Download
memory/1900-36-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-0-0x00000000746CE000-0x00000000746CF000-memory.dmp

Filesize
4KB

Download
memory/1900-2-0x00000000746C0000-0x0000000074DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1900-1-0x00000000012B0000-0x0000000001C5E000-memory.dmp

Filesize
9.7MB

Download
memory/2364-62-0x00000000011C0000-0x0000000001B6E000-memory.dmp

Filesize
9.7MB

Download
memory/2808-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2808-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-26-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download