Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs
-
Size
562KB
-
Sample
221104-k4xyjsdgf6
-
MD5
e0374295f58128949b5876934737b630
-
SHA1
cca48afe8f320a963d3e0024ee0a3f0f8bdfe635
-
SHA256
594a29480b7fce9d4e200b08fcded341d776420303a8ea955333a7b7971c4512
-
SHA512
91beecd85f6343370034465fba5ab178a0b3d6de91e90acaa70b3c378968b5068cdebc59921dd5899bf133d326dac75ea4c2c26f1728d11edcbf2f05c255b72b
-
SSDEEP
192:fnh4wl8t0iFzx5o1QS/j14ta1k0yPPaNIfALuQ1Pbk:awKtR53PPaNIfALuQ1Q
Static task
static1
Behavioral task
behavioral1
Sample
DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs
Resource
win10v2004-20220901-en
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/fir-3b506.appspot.com/o/dll%2Fnego.txt?alt=media&token=f068e42c-0fbc-4dcc-9984-985de5d7ed9c
Extracted
remcos
RemoteHost
nbvuhvioeodhdu.duckdns.org:1883
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-YPARK9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
DOCUMENTO DE CORRESPODIENTE A FAV-106 FAV 109.vbs
-
Size
562KB
-
MD5
e0374295f58128949b5876934737b630
-
SHA1
cca48afe8f320a963d3e0024ee0a3f0f8bdfe635
-
SHA256
594a29480b7fce9d4e200b08fcded341d776420303a8ea955333a7b7971c4512
-
SHA512
91beecd85f6343370034465fba5ab178a0b3d6de91e90acaa70b3c378968b5068cdebc59921dd5899bf133d326dac75ea4c2c26f1728d11edcbf2f05c255b72b
-
SSDEEP
192:fnh4wl8t0iFzx5o1QS/j14ta1k0yPPaNIfALuQ1Pbk:awKtR53PPaNIfALuQ1Q
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-