Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    65ba3a56ff4d0c52bc524392abf5f68ca9144c453d1ce044a559cdf37500679b.zip

  • Size

    413KB

  • Sample

    221027-yv1jzadcd4

  • MD5

    2faaf9c9ae7376f845068b6ee7ac8b4e

  • SHA1

    d11ffcbfdde8c86d07e6c580cfbb02959c8cab02

  • SHA256

    16426a775880f1c2b7f79244f86460746cee7dcb65386df2c082abebc7a5d1cf

  • SHA512

    471a1ff821779a9dd30f2b7e7054ec349a795b7e6135d3fe5a8dbda4767846bdc2902f0e51993e37840d19518d7fd0bc6561e508287277c58377f5728ce38e84

  • SSDEEP

    6144:HPzebEYN1hSUj1nap/vz39CNYnHLLH8k6CBAsETxy1N9+5GRcodDGnzGtq6/0XEu:H0EYX4ow/L39bnHLLwsEo1kRGtq6/Y

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

RemoteHost

C2

ghostboy.gotdns.ch:3924

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    ghostboy

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-R5JURE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe

    • Size

      436KB

    • MD5

      e79a346563c8229ade00a77e2cebc81a

    • SHA1

      ee6d168305f2d139b951296ff80845dce7380451

    • SHA256

      68f90e7cd6f81bcd548c046cfaca36e766da7fdcdddf286ef769c30062fde895

    • SHA512

      b2cb7701be9ebc6a33bed38ce417ef9089cf31a3b4f65e8528de645699ba25ab864b1e86d70180cfe1467c0f74c3ec26762a4f9b5bf0be3bc4e3b48317eada87

    • SSDEEP

      12288:1Ltdhijtuzu2H884oL4lW6ynCsV1QXq9bNAP8WLS:1Ltd9H8NoLs9yCGK6XOLS

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks