Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.zip
-
Size
1.0MB
-
Sample
230308-mj6fasfa6x
-
MD5
eecd8db93fd0617623daf4e239703379
-
SHA1
c85a15a630f7fb93bb7c5053c360f0206247edce
-
SHA256
5c37e543b3bfb45099e6733fd8fd93f7089cb8d058360181e72130bb1ec1ac68
-
SHA512
f9c412ee13259a3e6ba5fbc5528b66efc4d1e3632c6c31441a2ef491f07010067d25ede70585e2522a4a94ba2053d71d51b9f0a297663bf39d44a494baa576c7
-
SSDEEP
24576:ToBxnm9+AxSYDHD12Z4Ysk8KNNGF/hfBqzK1kmwhtHs/hgCjNWLsb:TOVIpScpBHkFi/hpn1z0Hs/ZVb
Static task
static1
Behavioral task
behavioral1
Sample
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
remcos
Mekino-RemoteHost
nadiac7806.hopto.org:2397
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
los.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-XBQXEL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
trn
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c.exe
-
Size
1.2MB
-
MD5
9fe11f84460abd22cc955530ca89cf8c
-
SHA1
dac857c046614f4ebb015faac209d5c24bc39a3c
-
SHA256
d413604ffcd2897d729fd0079881b7b4a0dbd3d9d5869a97d7ec76713a12739c
-
SHA512
dca05d1a79bba70b863730b32a6d10715efefaab8832351013a2c42a49ad2b33e9006c0f761a141c6a701088042d4c1d9c23cd41a5f12e68dd1ebdd8a1795d95
-
SSDEEP
24576:v1Qwe3cOQaNZ0AyQVdySyswtL3A9ghr9ZdxkmGIfZLV6sjM4:vBchynSwh36gdFpwsj
Score10/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-