Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Πληρωμή298434801TT.doc

  • Size

    32KB

  • Sample

    230705-l4xs8ada9x

  • MD5

    9cb89bef1811eba255e7b7031218a10f

  • SHA1

    57e58bf2ea5da5130aa375928bb366d0cabcb09f

  • SHA256

    09fbc9ef18c64027c5bf9b1a89d46e2561e0eabc77f3fe1e22c39244a017370a

  • SHA512

    1afd4e122fc4286d5f4fb4e4ccbcd3c7698a871d31f7bace0efce265d42bbe0bb7244128488ec15e24076e382cdfcc9276502ab0d504d71ff3bf5f242a70efd1

  • SSDEEP

    768:vFx0XaIsnPRIa4fwJMPJ12uTyXpcdRbb3vgPcxOSKVuT:vf0Xvx3EMv/uXpcLLvMEZT

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Htfruning

C2

seanblacin.sytes.net:6110

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    htfruning.exe

  • copy_folder

    Htfruning

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    htfruning

  • mouse_option

    false

  • mutex

    Rmc-BIDEV2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Πληρωμή298434801TT.doc

    • Size

      32KB

    • MD5

      9cb89bef1811eba255e7b7031218a10f

    • SHA1

      57e58bf2ea5da5130aa375928bb366d0cabcb09f

    • SHA256

      09fbc9ef18c64027c5bf9b1a89d46e2561e0eabc77f3fe1e22c39244a017370a

    • SHA512

      1afd4e122fc4286d5f4fb4e4ccbcd3c7698a871d31f7bace0efce265d42bbe0bb7244128488ec15e24076e382cdfcc9276502ab0d504d71ff3bf5f242a70efd1

    • SSDEEP

      768:vFx0XaIsnPRIa4fwJMPJ12uTyXpcdRbb3vgPcxOSKVuT:vf0Xvx3EMv/uXpcLLvMEZT

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks