remcos | a08da13ae86cffb5eea91b875e36eda9fc3f8ce853a1f5c9ef13f4737da35630

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
Size

19.4MB
MD5

b735cbba7967f4a2272c7eae86f60cfc
SHA1

79dba983b8e28d976d8d263c5114e134d1d9d9e3
SHA256

a08da13ae86cffb5eea91b875e36eda9fc3f8ce853a1f5c9ef13f4737da35630
SHA512

c96a3f136ad4e777ab0132944fa741d06ce11a7c1ff1223be19a575fef0f169e090a98e4941049819001b3858b3fc0404dc3c094f5a5e28d4d69a425dcb2bab2
SSDEEP

393216:Op8aa1p8aaHp8aa+p8aaMp8aaGp8aaQp8aaqp8aa0p8aaSp8aa4:Kxa3xaJxaaxaAxaixa8xa+xaoxamxa4

Score

10^/10

remcos xred abillion+naira backdoor discovery execution persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Botnet

ABILLION+NAIRA

nzobaku.ddns.net:8081

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0L1LJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
2744	powershell.exe
2784	powershell.exe
2608	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2004	._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
1900	Synaptics.exe
1624	Synaptics.exe
904	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
1624	Synaptics.exe
1624	Synaptics.exe
1624	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 584 set thread context of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 1900 set thread context of 1624	1900	Synaptics.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2896	schtasks.exe
2704	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3004	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
2744	powershell.exe
2640	powershell.exe
1900	Synaptics.exe
1900	Synaptics.exe
1900	Synaptics.exe
1900	Synaptics.exe
2608	powershell.exe
2784	powershell.exe
1900	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1900	Synaptics.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2004	._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
3004	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2640	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	31
PID 584 wrote to memory of 2640	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	31
PID 584 wrote to memory of 2640	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	31
PID 584 wrote to memory of 2640	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	31
PID 584 wrote to memory of 2744	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	33
PID 584 wrote to memory of 2744	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	33
PID 584 wrote to memory of 2744	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	33
PID 584 wrote to memory of 2744	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	33
PID 584 wrote to memory of 2704	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	35
PID 584 wrote to memory of 2704	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	35
PID 584 wrote to memory of 2704	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	35
PID 584 wrote to memory of 2704	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	35
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 584 wrote to memory of 2720	584	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	37
PID 2720 wrote to memory of 2004	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	38
PID 2720 wrote to memory of 2004	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	38
PID 2720 wrote to memory of 2004	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	38
PID 2720 wrote to memory of 2004	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	38
PID 2720 wrote to memory of 1900	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	39
PID 2720 wrote to memory of 1900	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	39
PID 2720 wrote to memory of 1900	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	39
PID 2720 wrote to memory of 1900	2720	2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe	39
PID 1900 wrote to memory of 2784	1900	Synaptics.exe	40
PID 1900 wrote to memory of 2784	1900	Synaptics.exe	40
PID 1900 wrote to memory of 2784	1900	Synaptics.exe	40
PID 1900 wrote to memory of 2784	1900	Synaptics.exe	40
PID 1900 wrote to memory of 2608	1900	Synaptics.exe	42
PID 1900 wrote to memory of 2608	1900	Synaptics.exe	42
PID 1900 wrote to memory of 2608	1900	Synaptics.exe	42
PID 1900 wrote to memory of 2608	1900	Synaptics.exe	42
PID 1900 wrote to memory of 2896	1900	Synaptics.exe	43
PID 1900 wrote to memory of 2896	1900	Synaptics.exe	43
PID 1900 wrote to memory of 2896	1900	Synaptics.exe	43
PID 1900 wrote to memory of 2896	1900	Synaptics.exe	43
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1900 wrote to memory of 1624	1900	Synaptics.exe	46
PID 1624 wrote to memory of 904	1624	Synaptics.exe	47
PID 1624 wrote to memory of 904	1624	Synaptics.exe	47
PID 1624 wrote to memory of 904	1624	Synaptics.exe	47
PID 1624 wrote to memory of 904	1624	Synaptics.exe	47

C:\Users\Admin\AppData\Local\Temp\2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B06.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2004
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2784
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E83.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2896
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:904

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
19.4MB

MD5
b735cbba7967f4a2272c7eae86f60cfc

SHA1
79dba983b8e28d976d8d263c5114e134d1d9d9e3

SHA256
a08da13ae86cffb5eea91b875e36eda9fc3f8ce853a1f5c9ef13f4737da35630

SHA512
c96a3f136ad4e777ab0132944fa741d06ce11a7c1ff1223be19a575fef0f169e090a98e4941049819001b3858b3fc0404dc3c094f5a5e28d4d69a425dcb2bab2

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
c3bed71a5295d95cb1d1af074267839d

SHA1
c976b03ed1daed7ef165b47c871207268d054e4b

SHA256
54e72b82a05656233fc75338b63df73e861ccbab6a6d69c5dd63eb86314e4424

SHA512
24da21787bb1a37f9362ee7e5bbed4489d119004ce22d0eb70de2aa2b083277fd6e32d8d23ba494ecb6935a03ecf7bc8297978c49ce6e6a3303819f932fd3548

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-16_b735cbba7967f4a2272c7eae86f60cfc_formbook_luca-stealer_magniber.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pTLxQSI4.xlsm

Filesize
24KB

MD5
d88b596841fe8090cc02853651eabd0f

SHA1
3007873bb64cc519aeab4cfcee2f482b61b0d5a3

SHA256
87629a6ff920e1de6e7215f14e51d662a6b3d1fea135139d32fe9a1d3e8ce432

SHA512
61d1db60d3c6375328d29e14935e5eb75f52cc817f3373d5a53345926c5c0eb1b6abdb178cdbf2dfe0443f2b564ebc1fb2c72f2df1ba3f43607773e4116a235d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pTLxQSI4.xlsm

Filesize
31KB

MD5
b05ab3f49921f3bdf9a6cd2721764ff3

SHA1
8304d7e9e7a3f77d6a7945904d9c0b8098d5fbb1

SHA256
bf72fa3b1c9c7e90736d0036c411083534cb1dcadf4004dfe57501735d8f3198

SHA512
916045ddd04d66b390354a6cd9227294af8c62cfbb6a882519b02ddab40fa678baadb6a1f56cb211700b52cbe9882077070898b6f0246e53e6e3cea5b46ad513

Download Submit
C:\Users\Admin\AppData\Local\Temp\pTLxQSI4.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\pTLxQSI4.xlsm

Filesize
26KB

MD5
955e3b7aabc53e807d676a41f1a2a654

SHA1
1f8eaa51bd48bd93b906bc3dfb96bf43b4c182fe

SHA256
88122a1dcdae0320dd396a61ab6493d101ed0ae4a3d2c2394e1bbc9e3c1d5d47

SHA512
c013d7ae097ce07317edd75ab8223eb09c95bc5d9d009edc77c796a2e706083605c5df9413d0e522f14e2c7d2835264cf6bfaa634dd05951970abcba437ec32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pTLxQSI4.xlsm

Filesize
26KB

MD5
9d37f9523fa910f761230c8b396d062c

SHA1
955dc1f206470b711fe4cf46cdd37b5b7473ce9b

SHA256
22b2991ded18afa0c7d9b85bdbfe12b3ea5da9810f979f9f2558acf25f13cddd

SHA512
d7716955f2695b3cf0904c4ba456ef9dc935b57bd27973abf223fb41530683c26ec7e5407096c0b45d128d862647505aac3f403654879b59a674aed87deab7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B06.tmp

Filesize
1KB

MD5
2dedb79864039a421308db337e4a28e1

SHA1
8ff384d54a65f6d3998904c3d411b03a35969caa

SHA256
c0ecc7356e4e277361abbe03f39a1304f806cb434f53228726afb03b1aa31e9e

SHA512
afce7c3acbf100fc8154104fe39f84696188f1dc1d019e877757af901b9d0f11274801644f6ede2968676b103e7889dabfdf9f77b1d29638fc0fb2d367b18e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$pTLxQSI4.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BI27JVTXR7XYWN48EIQ.temp

Filesize
7KB

MD5
a1ccf5a96397ffc6b7fc89f0a6fdb3cc

SHA1
9d88b3a7a6fddc76736c69c31c7a8b60c33f5fef

SHA256
2cd4c87d79ad033991fb7b25f075e50d28e482426f1974de70b9fbe698a9a599

SHA512
a820b3b593f6fe81071872bd1e45f1c37e0b27b9aec98b500b64899cc5e2794dc1aa419f1e8310e61288c7b273756d5e5cf4c97a85b77eefa1158119abf7694a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bbf8c84b4025d8ad6f0b498ef495a718

SHA1
abfaa4cec032d6d888fc43e5f80ec82155f96de5

SHA256
9c6646bf03c9b7340ee9533ea143cbb9038f07ab86f7d6c3405a83e740cdb514

SHA512
a2206c9eefaab8a7131418acf85ed3f472e07f59b8843d409907280f9fae69039839da5b9fb47277dd5bbce159332dd3a09cdf5a6904afcd7cfcb8da168e7b37

Download Submit
memory/584-2-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/584-3-0x0000000000590000-0x00000000005A8000-memory.dmp

Filesize
96KB

Download
memory/584-1-0x0000000001230000-0x000000000259E000-memory.dmp

Filesize
19.4MB

Download
memory/584-4-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/584-0-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/584-5-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/584-38-0x0000000074050000-0x000000007473E000-memory.dmp

Filesize
6.9MB

Download
memory/584-6-0x0000000006340000-0x00000000064BE000-memory.dmp

Filesize
1.5MB

Download
memory/1624-185-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1624-229-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1624-191-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1624-186-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1624-97-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1624-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1900-62-0x0000000001080000-0x00000000023EE000-memory.dmp

Filesize
19.4MB

Download
memory/2720-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-21-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2720-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2720-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/3004-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-187-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download