floxif | 372362b50557bf678a924d340f17399f8595a78ef51bba706b04571718b1c851

Analysis

max time kernel
104s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
03/04/2025, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
Size

16.8MB
MD5

38058339fdd2912c35147a02d93fd036
SHA1

7ce1111ba299613a6873d0427caca1979bd69504
SHA256

372362b50557bf678a924d340f17399f8595a78ef51bba706b04571718b1c851
SHA512

8604e3078f41a48c83d4c0bd422aca935fb6e3012cd86d7d68251d04858ffd25ed2b3da92069a711f52f321f977f1bec5a9977eb81c9324ba867e0bd5ce8e6d1
SSDEEP

393216:KUfoCkhfO/zFXGW/F/P9wXiXzThtaio4JfRs9:pRkdObGXYzt4kRk

Score

10^/10

floxif backdoor discovery execution persistence privilege_escalation trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x0008000000024341-1.dat	floxif

Blocklisted process makes network request 1 IoCs

flow	pid	Process
28	4800	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000024341-1.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
1232	files.dat
4304	rld57725.exe
5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
5184	oinstrun.exe

Loads dropped DLL 7 IoCs

pid	Process
2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
1232	files.dat
4800	powershell.exe
4304	rld57725.exe
5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4800	powershell.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
File opened (read-only)	\??\e:	rld57725.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000024341-1.dat	upx
behavioral1/memory/2452-3-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1232-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/1232-26-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4800-37-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4800-64-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2452-66-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4304-82-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/2452-83-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5728-93-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4304-89-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5728-109-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\program files\common files\system\symsrv.dll.000	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
File created	C:\Program Files\Common Files\System\symsrv.dll	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rld57725.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	files.dat

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1224	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1224	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4800	powershell.exe
2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
4800	powershell.exe
4304	rld57725.exe
4304	rld57725.exe
5184	oinstrun.exe
5184	oinstrun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: 36	540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	540	WMIC.exe
Token: SeSecurityPrivilege	540	WMIC.exe
Token: SeTakeOwnershipPrivilege	540	WMIC.exe
Token: SeLoadDriverPrivilege	540	WMIC.exe
Token: SeSystemProfilePrivilege	540	WMIC.exe
Token: SeSystemtimePrivilege	540	WMIC.exe
Token: SeProfSingleProcessPrivilege	540	WMIC.exe
Token: SeIncBasePriorityPrivilege	540	WMIC.exe
Token: SeCreatePagefilePrivilege	540	WMIC.exe
Token: SeBackupPrivilege	540	WMIC.exe
Token: SeRestorePrivilege	540	WMIC.exe
Token: SeShutdownPrivilege	540	WMIC.exe
Token: SeDebugPrivilege	540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	540	WMIC.exe
Token: SeRemoteShutdownPrivilege	540	WMIC.exe
Token: SeUndockPrivilege	540	WMIC.exe
Token: SeManageVolumePrivilege	540	WMIC.exe
Token: 33	540	WMIC.exe
Token: 34	540	WMIC.exe
Token: 35	540	WMIC.exe
Token: 36	540	WMIC.exe
Token: SeDebugPrivilege	1232	files.dat
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe
Token: 35	4564	WMIC.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 464	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	88
PID 2452 wrote to memory of 464	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	88
PID 2452 wrote to memory of 6016	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	90
PID 2452 wrote to memory of 6016	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	90
PID 464 wrote to memory of 540	464	cmd.exe	92
PID 464 wrote to memory of 540	464	cmd.exe	92
PID 2452 wrote to memory of 5024	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	93
PID 2452 wrote to memory of 5024	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	93
PID 5024 wrote to memory of 1232	5024	cmd.exe	96
PID 5024 wrote to memory of 1232	5024	cmd.exe	96
PID 5024 wrote to memory of 1232	5024	cmd.exe	96
PID 2452 wrote to memory of 4416	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	97
PID 2452 wrote to memory of 4416	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	97
PID 4416 wrote to memory of 4564	4416	cmd.exe	99
PID 4416 wrote to memory of 4564	4416	cmd.exe	99
PID 2452 wrote to memory of 4800	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	100
PID 2452 wrote to memory of 4800	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	100
PID 2452 wrote to memory of 4800	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	100
PID 2452 wrote to memory of 4304	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	108
PID 2452 wrote to memory of 4304	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	108
PID 2452 wrote to memory of 4304	2452	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	108
PID 4304 wrote to memory of 5728	4304	rld57725.exe	109
PID 4304 wrote to memory of 5728	4304	rld57725.exe	109
PID 4304 wrote to memory of 5728	4304	rld57725.exe	109
PID 4304 wrote to memory of 5324	4304	rld57725.exe	110
PID 4304 wrote to memory of 5324	4304	rld57725.exe	110
PID 4304 wrote to memory of 5324	4304	rld57725.exe	110
PID 5324 wrote to memory of 1224	5324	cmd.exe	112
PID 5324 wrote to memory of 1224	5324	cmd.exe	112
PID 5324 wrote to memory of 1224	5324	cmd.exe	112
PID 5728 wrote to memory of 1108	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	115
PID 5728 wrote to memory of 1108	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	115
PID 5728 wrote to memory of 6068	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	114
PID 5728 wrote to memory of 6068	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	114
PID 6068 wrote to memory of 2728	6068	cmd.exe	119
PID 6068 wrote to memory of 2728	6068	cmd.exe	119
PID 5728 wrote to memory of 3952	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	120
PID 5728 wrote to memory of 3952	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	120
PID 3952 wrote to memory of 1672	3952	cmd.exe	122
PID 3952 wrote to memory of 1672	3952	cmd.exe	122
PID 5728 wrote to memory of 5184	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	123
PID 5728 wrote to memory of 5184	5728	2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe	123

C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:6016
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4564
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\ver.txt') }"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\rld57725.exe
  "C:\Users\Admin\AppData\Local\Temp\rld57725.exe" "C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe" 1000
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5728
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6068
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
        5⤵
        
        PID:2728
  - - C:\Windows\system32\reg.exe
      "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
      4⤵
      PID:1108
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\files"
        5⤵
        
        PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\oinstrun.exe
      "C:\Users\Admin\AppData\Local\Temp\oinstrun.exe" "C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\SelfD98681.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5324
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1224

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x470
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-04-03_38058339fdd2912c35147a02d93fd036_black-basta_floxif_luca-stealer_remcos_rhadamanthys.exe

Filesize
16.8MB

MD5
38058339fdd2912c35147a02d93fd036

SHA1
7ce1111ba299613a6873d0427caca1979bd69504

SHA256
372362b50557bf678a924d340f17399f8595a78ef51bba706b04571718b1c851

SHA512
8604e3078f41a48c83d4c0bd422aca935fb6e3012cd86d7d68251d04858ffd25ed2b3da92069a711f52f321f977f1bec5a9977eb81c9324ba867e0bd5ce8e6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\6198155C994.tmp

Filesize
16.7MB

MD5
9b3fb0ecd6f386cd5de681bb94aa5b41

SHA1
bc056e85655557d947b44eee9fcc07669e7caa08

SHA256
9aa6753d204409cde394b1c9dcfe8054be04166843f63f8847710861de9508be

SHA512
330325023064ffb7541a104c222a22d15b9f9a257f4f2658fcb564b1257d7ad03e568adf97e7f16c2a5cb4de6ed43f823371ca6ab43acf47b8b0975e1948422e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SelfD98681.bat

Filesize
157B

MD5
0f4fe8e2f00997e83b5228c29e0555af

SHA1
f61be9c264847c6cab090cf638dab58b0d35a775

SHA256
4cb228484f995b82165c57060008de79a3d77a64d7332803698f4820e53763b8

SHA512
146470c8b8eff4b824b33259efdb00fb1580015711ed73f26d063f4eb18d3521526dac463007a50b23df10c943154ce90fde1586738fbf4ffc4e05ef92aa0fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hfanhr3d.5f5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\configure.xml

Filesize
1KB

MD5
2a798f1fe71e7e78983e1b81f29e627b

SHA1
36674d34cce4a5afccaac4e339ac876f1bce2ca8

SHA256
f2980edd3fd3ed28f520150ba1dfb4b43fa2d2eb4b9f6ebc9634f53c99478f37

SHA512
bfc17e6b080b4faccd915795a4bee083112e1d7f67fe6bc455a2abc47676dcfca75002c7b0c25cd992c1e6c4dd9534c170aad58a29ad2441cf37c4dbaf13f5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\oinstrun.exe

Filesize
14KB

MD5
32973232138fc6b30d913167096c059d

SHA1
d6a7cb95d5525ea3d7286749663e12c1addb3104

SHA256
4a01c55f4727b3771c2672421aa2c5c20534ad0530449ed168a16a3d33345d3d

SHA512
ce0ca843705f7059bad14260a48647797a6cb2d84c162aa943eb090a7d18f708a3403d94f92fbc67c1b1216f941bf591f358e35fef76db34125f37595e256b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rld57725.exe

Filesize
16KB

MD5
fc8ec75b7b5f3a2be9fdc67ee8808afa

SHA1
e5723567f6f3d12c2eaea3d07955cf5a259c8a8f

SHA256
03382bd8037a9cf6905c87b98b6768bd93fec22faf2f4092d81ac970703ea14f

SHA512
c83ee781775fef4f65244b108bd9ac88643340375b0a2880af9c5d44259ea2f416130c01da0279eb2683988fdf7fc1f8a91e5b013bef28ceb3a086da5ac8bc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ver.txt

Filesize
55KB

MD5
4b9e0333d339f3e547f480f643de2c82

SHA1
b07df0337e23e7b67440304a391245bdcde298f1

SHA256
9901afb549aa42209f965fe2358ac1ac3b2ceea20ec54a06d58474a05cff69d0

SHA512
218a8df5870499d2d15e5c12b195ef787d1d496767afb7d2d5670439a31ff752dfba0c2a27ae01567c2a2458f2b3e71a6bc611d72165b1e34b0e10dd4743f341

Download Submit
memory/1232-14-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/1232-26-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2452-7-0x000000000054D000-0x0000000000550000-memory.dmp

Filesize
12KB

Download
memory/2452-3-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2452-83-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/2452-66-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4304-82-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4304-89-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4800-42-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/4800-45-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4800-59-0x00000000062B0000-0x00000000062CA000-memory.dmp

Filesize
104KB

Download
memory/4800-58-0x00000000075E0000-0x0000000007C5A000-memory.dmp

Filesize
6.5MB

Download
memory/4800-57-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/4800-56-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4800-52-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4800-37-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4800-41-0x0000000000FB0000-0x0000000000FE6000-memory.dmp

Filesize
216KB

Download
memory/4800-43-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/4800-64-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4800-44-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5728-93-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/5728-94-0x00000000031E0000-0x0000000003210000-memory.dmp

Filesize
192KB

Download
memory/5728-95-0x00000000031E0000-0x0000000003210000-memory.dmp

Filesize
192KB

Download
memory/5728-109-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download