Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

PAYMENT COPY.js

windows7-x64

10

PAYMENT COPY.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PAYMENT COPY.zip

  • Size

    2KB

  • Sample

    221026-de7ccseeg3

  • MD5

    9d56dbb68ada324b6f33c9bb501296b6

  • SHA1

    00c7c23b542dec61c4b7144eca87f6375180ff3a

  • SHA256

    f21a4babef71b5a6e686d59ce063703582c891ac7eca80add3624ce62d82ba4a

  • SHA512

    19a436e1f1a634e71e538c0f0c3d5b6cceda1c3b318dec6cc415ea19a080dc0adafa3488f3e4273dc25f6b0a3fc9cdfa8133bc229e6f13555dc2beda30ea4a42

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CMFPLR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PAYMENT COPY.js

    • Size

      4KB

    • MD5

      c8aa969d7b3ce381561a1809ddfea06e

    • SHA1

      bb0975b82214658c963413587e38ca1fdbea8c9c

    • SHA256

      ca21396df7eba831ea17c98d2fdd4321a8b529bb1a103f9f5f0249f3f69d7494

    • SHA512

      2fa60b56ebacdd0bdcf3116dbeac968dca52140e4d2605eb0ccdb5f35aae1298394452a341d56afa5afb1652704aefaac29049dca75f111d567c831a5f1ac053

    • SSDEEP

      96:KIYh3+AD6+IqaOiL5zCHdDjcmAPF1+h6kbWgn7towcGtoK4DZfI9SjXpfRhUnjE7:VCITOiLsdmtw0Mn7GwcGtoK49fI9SDNN

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks