Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Document Required310753577644567865689.exe

  • Size

    1.1MB

  • Sample

    230112-jptf5sfe26

  • MD5

    0f1caf9593d310fdb217cb05e62693f9

  • SHA1

    cd3a58a665444ac047aef10e5deefbba65b54e18

  • SHA256

    b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9

  • SHA512

    985ed0ce05a4ed4eb37630238974f3d487fbe404809229db488ea722a6af115256fe786020ee6bcc6d113186db10fabb22b6b5f4f32f93131db2de2e3807a7f0

  • SSDEEP

    24576:ygaIphuOCwQSQ8eD0jzOt1ytFvDgIFoc5:y2B2DCzOt1ytFvDpFoc

Malware Config

Extracted

Family

remcos

Botnet

SKY-YAK

C2

www.christopherferr.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    12345

  • mouse_option

    false

  • mutex

    Rmc-E68T3F

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Document Required310753577644567865689.exe

    • Size

      1.1MB

    • MD5

      0f1caf9593d310fdb217cb05e62693f9

    • SHA1

      cd3a58a665444ac047aef10e5deefbba65b54e18

    • SHA256

      b7285db14a569eccf6e5cca5416478153c38b9b7931f0bdea403901c3632cbc9

    • SHA512

      985ed0ce05a4ed4eb37630238974f3d487fbe404809229db488ea722a6af115256fe786020ee6bcc6d113186db10fabb22b6b5f4f32f93131db2de2e3807a7f0

    • SSDEEP

      24576:ygaIphuOCwQSQ8eD0jzOt1ytFvDgIFoc5:y2B2DCzOt1ytFvDpFoc

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks