Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
65ba3a56ff4d0c52bc524392abf5f68ca9144c453d1ce044a559cdf37500679b.zip
-
Size
413KB
-
Sample
221027-yv1jzadcd4
-
MD5
2faaf9c9ae7376f845068b6ee7ac8b4e
-
SHA1
d11ffcbfdde8c86d07e6c580cfbb02959c8cab02
-
SHA256
16426a775880f1c2b7f79244f86460746cee7dcb65386df2c082abebc7a5d1cf
-
SHA512
471a1ff821779a9dd30f2b7e7054ec349a795b7e6135d3fe5a8dbda4767846bdc2902f0e51993e37840d19518d7fd0bc6561e508287277c58377f5728ce38e84
-
SSDEEP
6144:HPzebEYN1hSUj1nap/vz39CNYnHLLH8k6CBAsETxy1N9+5GRcodDGnzGtq6/0XEu:H0EYX4ow/L39bnHLLwsEo1kRGtq6/Y
Static task
static1
Behavioral task
behavioral1
Sample
WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
remcos
3.2.0 Pro
RemoteHost
ghostboy.gotdns.ch:3924
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
ghostboy
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-R5JURE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
WoodeProcurement_Specification_Doc_Portal2021R3_Client_index.exe
-
Size
436KB
-
MD5
e79a346563c8229ade00a77e2cebc81a
-
SHA1
ee6d168305f2d139b951296ff80845dce7380451
-
SHA256
68f90e7cd6f81bcd548c046cfaca36e766da7fdcdddf286ef769c30062fde895
-
SHA512
b2cb7701be9ebc6a33bed38ce417ef9089cf31a3b4f65e8528de645699ba25ab864b1e86d70180cfe1467c0f74c3ec26762a4f9b5bf0be3bc4e3b48317eada87
-
SSDEEP
12288:1Ltdhijtuzu2H884oL4lW6ynCsV1QXq9bNAP8WLS:1Ltd9H8NoLs9yCGK6XOLS
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-