remcos | 514a14f7267dac3425bbce5401ec23c852d328f31d7ddc5ff5b8f8b9e593d832

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
Size

12.7MB
MD5

a94900a8aa0fbbdba50000bf65d5d62e
SHA1

758cbdcf90fc582ee39578035df0836039b98871
SHA256

514a14f7267dac3425bbce5401ec23c852d328f31d7ddc5ff5b8f8b9e593d832
SHA512

2ce1a09b531ee17408d7c9259db57b151b58a36e305c4a732e57e0c4ddd0888c4e934960ee4b73bfea766c70cb2325e9c99866d04067e63a0e514f43de82f770
SSDEEP

196608:HR668aaELaR668aaELsR668aaELuR668aaELwR668aaELVFKzYN:Hp8aaDp8aa9p8aaXp8aahp8aa

Score

10^/10

remcos xred backdoor discovery execution macro persistence rat

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
2908	powershell.exe
2776	powershell.exe
2956	powershell.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00050000000186e7-144.dat

Executes dropped EXE 4 IoCs

pid	Process
1408	._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
1660	Synaptics.exe
844	Synaptics.exe
2544	._cache_Synaptics.exe

Loads dropped DLL 6 IoCs

pid	Process
2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
844	Synaptics.exe
844	Synaptics.exe
844	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 1660 set thread context of 844	1660	Synaptics.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2564	schtasks.exe
536	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
284	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
2908	powershell.exe
2868	powershell.exe
1660	Synaptics.exe
1660	Synaptics.exe
1660	Synaptics.exe
1660	Synaptics.exe
2956	powershell.exe
2776	powershell.exe
1660	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1660	Synaptics.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1408	._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
284	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2868	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	31
PID 2100 wrote to memory of 2868	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	31
PID 2100 wrote to memory of 2868	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	31
PID 2100 wrote to memory of 2868	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	31
PID 2100 wrote to memory of 2908	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	33
PID 2100 wrote to memory of 2908	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	33
PID 2100 wrote to memory of 2908	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	33
PID 2100 wrote to memory of 2908	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	33
PID 2100 wrote to memory of 536	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	35
PID 2100 wrote to memory of 536	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	35
PID 2100 wrote to memory of 536	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	35
PID 2100 wrote to memory of 536	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	35
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2100 wrote to memory of 2760	2100	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	37
PID 2760 wrote to memory of 1408	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	38
PID 2760 wrote to memory of 1408	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	38
PID 2760 wrote to memory of 1408	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	38
PID 2760 wrote to memory of 1408	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	38
PID 2760 wrote to memory of 1660	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	39
PID 2760 wrote to memory of 1660	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	39
PID 2760 wrote to memory of 1660	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	39
PID 2760 wrote to memory of 1660	2760	2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe	39
PID 1660 wrote to memory of 2956	1660	Synaptics.exe	40
PID 1660 wrote to memory of 2956	1660	Synaptics.exe	40
PID 1660 wrote to memory of 2956	1660	Synaptics.exe	40
PID 1660 wrote to memory of 2956	1660	Synaptics.exe	40
PID 1660 wrote to memory of 2776	1660	Synaptics.exe	42
PID 1660 wrote to memory of 2776	1660	Synaptics.exe	42
PID 1660 wrote to memory of 2776	1660	Synaptics.exe	42
PID 1660 wrote to memory of 2776	1660	Synaptics.exe	42
PID 1660 wrote to memory of 2564	1660	Synaptics.exe	44
PID 1660 wrote to memory of 2564	1660	Synaptics.exe	44
PID 1660 wrote to memory of 2564	1660	Synaptics.exe	44
PID 1660 wrote to memory of 2564	1660	Synaptics.exe	44
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 1660 wrote to memory of 844	1660	Synaptics.exe	46
PID 844 wrote to memory of 2544	844	Synaptics.exe	47
PID 844 wrote to memory of 2544	844	Synaptics.exe	47
PID 844 wrote to memory of 2544	844	Synaptics.exe	47
PID 844 wrote to memory of 2544	844	Synaptics.exe	47

C:\Users\Admin\AppData\Local\Temp\2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp23F5.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:536
- C:\Users\Admin\AppData\Local\Temp\2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1408
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2956
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2776
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7697.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2564
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        Executes dropped EXE
        
        PID:2544

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
12.7MB

MD5
a94900a8aa0fbbdba50000bf65d5d62e

SHA1
758cbdcf90fc582ee39578035df0836039b98871

SHA256
514a14f7267dac3425bbce5401ec23c852d328f31d7ddc5ff5b8f8b9e593d832

SHA512
2ce1a09b531ee17408d7c9259db57b151b58a36e305c4a732e57e0c4ddd0888c4e934960ee4b73bfea766c70cb2325e9c99866d04067e63a0e514f43de82f770

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
23ee6497c7f9630754ad8f679261c854

SHA1
14d8fe00765b564fd807e1bf513c93a566b96ac3

SHA256
9a57b8d90af29b89df9cb529d754ee4d5a1fc396e4bbd5dbd8fd002fa7af607c

SHA512
f4505510ddf662e593c37300061859e40158c46829af297e56bf6567bd25315c6aa52154290152ee51292896463001e78e0b99c8e5d27590764f6c16e05bb79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2025-01-04_a94900a8aa0fbbdba50000bf65d5d62e_formbook_luca-stealer_magniber.exe

Filesize
483KB

MD5
f3b57ccad1c0a308635e17aa591e4038

SHA1
ca67ad3c74523b844fc23563f7b288f0389fd645

SHA256
5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

SHA512
5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyHrZNBB.xlsm

Filesize
24KB

MD5
2050d3e2d6f40cb1572207565b20ea05

SHA1
ea72dabcb9641b741e49aada12261f8f51d1eaf6

SHA256
dcca6b196f3383d5feb01add58093721696a77f19fb06259efccec387779167e

SHA512
b8620ca53ff05ff10d5475d7a6ba6953e555e5ff9fafe4cf4e4c6828be44edd22a196ea6c7ab497cce3928d0b2593841f114a75181208e84cfa54c6ef30f87e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\lyHrZNBB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23F5.tmp

Filesize
1KB

MD5
5fb6a0652b7d45085574a418df44d8a8

SHA1
d74e47d8da22f9c3f8780ca19f426e53303f7b96

SHA256
e265571eaa93cf7ced1d7ded82b61679c861b8b2cbd90b5d5149135b5d7c0c94

SHA512
90a8c52da6f9aaf3b3443b09a772e0c6308eee92c1fa40349808da91d0d1ff002fde4538dbaf94e5c7bf4b0fff8d267bf206dbab4f2498e13b895080b8a07203

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NARH7FQUYHL8VGHG7OJF.temp

Filesize
7KB

MD5
850e576e1565570628f23a6e4959b47e

SHA1
bb51baa0dcec07fc2dcdf13632b264b15a57518e

SHA256
9e149153b113a91d06455a9db1d94c2357dde6a31a8467073aac9e0e4edb2a89

SHA512
c24057c9261e2417a41bbc6e50c464c48a454ffefd82db3476e6af598a69e5184e40f1924c29c4bba514e654b0878446b28a596466013b10dce1edd88993f845

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d010306f4828775533c4a9bae3edd133

SHA1
5e969db6f2ace60ad89a7469452758af8c7dbc06

SHA256
9b0c1afc0b867b4a5b25760c73a33846683b3d60d6f4a4511a6ea573b91599e0

SHA512
b9d0d1e3287f8f23154c01cd4cdf6d70e097d0c2a1bf2ffa8aa09678636279d9003d78ff0ee6d0afef0b34b49cd477d082b2f3c4686f8a59b516455720c4a14b

Download Submit
memory/284-133-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-128-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-127-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-129-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-124-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-125-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-126-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-130-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-131-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-132-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-134-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-135-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-114-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-116-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-120-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/284-112-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-113-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-122-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-121-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-119-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-123-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-118-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-117-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/284-115-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/844-194-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/844-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/844-97-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/844-152-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/844-153-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/844-156-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1660-62-0x00000000010E0000-0x0000000001DA6000-memory.dmp

Filesize
12.8MB

Download
memory/2100-6-0x0000000005D70000-0x0000000005EEE000-memory.dmp

Filesize
1.5MB

Download
memory/2100-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2100-3-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/2100-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2100-1-0x0000000000F50000-0x0000000001C16000-memory.dmp

Filesize
12.8MB

Download
memory/2100-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2100-38-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2100-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-19-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-34-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-35-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-31-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-29-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-27-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-25-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-23-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/2760-22-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download