Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.zip

  • Size

    1.0MB

  • Sample

    230308-mj6fasfa6x

  • MD5

    eecd8db93fd0617623daf4e239703379

  • SHA1

    c85a15a630f7fb93bb7c5053c360f0206247edce

  • SHA256

    5c37e543b3bfb45099e6733fd8fd93f7089cb8d058360181e72130bb1ec1ac68

  • SHA512

    f9c412ee13259a3e6ba5fbc5528b66efc4d1e3632c6c31441a2ef491f07010067d25ede70585e2522a4a94ba2053d71d51b9f0a297663bf39d44a494baa576c7

  • SSDEEP

    24576:ToBxnm9+AxSYDHD12Z4Ysk8KNNGF/hfBqzK1kmwhtHs/hgCjNWLsb:TOVIpScpBHkFi/hpn1z0Hs/ZVb

Malware Config

Extracted

Family

remcos

Botnet

Mekino-RemoteHost

C2

nadiac7806.hopto.org:2397

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    los.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-XBQXEL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    trn

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.exe

    • Size

      1.2MB

    • MD5

      9fe11f84460abd22cc955530ca89cf8c

    • SHA1

      dac857c046614f4ebb015faac209d5c24bc39a3c

    • SHA256

      d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c

    • SHA512

      dca05d1a79bba70b863730b32a6d10715efefaab8832351013a2c42a49ad2b33e9006c0f761a141c6a701088042d4c1d9c23cd41a5f12e68dd1ebdd8a1795d95

    • SSDEEP

      24576:v1Qwe3cOQaNZ0AyQVdySyswtL3A9ghr9ZdxkmGIfZLV6sjM4:vBchynSwh36gdFpwsj

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks