Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    slpr.exe

  • Size

    300.0MB

  • Sample

    230208-s9h1ksbh3s

  • MD5

    5c94b9f981e63a440a7a40971a9c2d36

  • SHA1

    0df6bc0f2f497bb0cd935fb00433bead94f6d28b

  • SHA256

    e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

  • SHA512

    40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d

  • SSDEEP

    12288:Yog+f66nQlAI0FBX+OeKUPrrQ84BPBRMTSUfXJuSMZdnh0TBnms:YX+yyQlh0FOzrF7T3vJUTnh0TF

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

CASAMAMI

C2

casamami.con-ip.com:7770

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2JJVDI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      slpr.exe

    • Size

      300.0MB

    • MD5

      5c94b9f981e63a440a7a40971a9c2d36

    • SHA1

      0df6bc0f2f497bb0cd935fb00433bead94f6d28b

    • SHA256

      e3ae3157428659c73519c6eceb3066f5b0261e006d574b039c15c6b54abbea1a

    • SHA512

      40f3eb162834b819b583dcced66646763c18cf8b92d14ca8b6a1ec0ea020e14e2076da69cf3637bee7ed6b62e342106bd8846a121ee49d1f47735b3560c63d5d

    • SSDEEP

      12288:Yog+f66nQlAI0FBX+OeKUPrrQ84BPBRMTSUfXJuSMZdnh0TBnms:YX+yyQlh0FOzrF7T3vJUTnh0TF

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks