Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

DOC2022051...IH.exe

windows7-x64

10

DOC2022051...IH.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOC20220513PRELIMINARC0559DOC03027321122021JIH.exe

  • Size

    815KB

  • Sample

    230605-qk6dgahd5v

  • MD5

    42100dbc4d976830330cba122d827ddc

  • SHA1

    8c9646c8d072550d064927db102afe5b4226817e

  • SHA256

    a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445

  • SHA512

    e0d152a67200affbfb3d034976942d0222fd5222b7cc5fd15b04ca9680d8379183048bdf5a122b9f02a6966c99e8d698445c86995222d6aca9a2a89d4eafe439

  • SSDEEP

    12288:Hm5Yjm87zTua9UTx2OwKPUh0Iyy7UhZBosUwj0xJ3nBcN/ZLf:Hvjqa9UV2OwKPdjnjSQIxJ3n6N/l

Score
10/10
modiloaderremcospharmacy-peoplepersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

PHARMACY-PEOPLE

C2

www.supremeswitchgear.com:32676

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    rematsssss

  • mouse_option

    false

  • mutex

    Rmc-JQWAXU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      DOC20220513PRELIMINARC0559DOC03027321122021JIH.exe

    • Size

      815KB

    • MD5

      42100dbc4d976830330cba122d827ddc

    • SHA1

      8c9646c8d072550d064927db102afe5b4226817e

    • SHA256

      a4a9151dee1026abcaec06ec7596983a05cc7df43c37d5646e17ae02e2902445

    • SHA512

      e0d152a67200affbfb3d034976942d0222fd5222b7cc5fd15b04ca9680d8379183048bdf5a122b9f02a6966c99e8d698445c86995222d6aca9a2a89d4eafe439

    • SSDEEP

      12288:Hm5Yjm87zTua9UTx2OwKPUh0Iyy7UhZBosUwj0xJ3nBcN/ZLf:Hvjqa9UV2OwKPdjnjSQIxJ3n6N/l

    Score
    10/10
    modiloadertrojanremcospharmacy-peoplepersistencerat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.