Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

11/07/2023, 13:54

230711-q72zkaae5s 10

06/07/2023, 14:39

230706-r1hg1scc53 10

General

  • Target

    Documento_digitaL.UUE

  • Size

    1.2MB

  • Sample

    230706-r1hg1scc53

  • MD5

    d3ea98dcd9e9aeb7e277956ded3c93ee

  • SHA1

    66adb2bd9752f1231c35f644e924fb05c95ba10b

  • SHA256

    ab3a04d7711c664857a8fccfcaca260221888343734f967313e0c9934ec2a4ca

  • SHA512

    e1c6d9afd2c7b0262a82fea87f4119aedea6ba15c582866e1f082b4faa45dbc0df542de90ff9e9498bc3febaae00a26b63189ab29a5aebcb1f59ad2bc45021f1

  • SSDEEP

    24576:B5FCc0S3irFQLCofiUfoJZu731yusVh45fGsDP+HRd21xzB:B5FCc0jrFGfdfKuRpQ45fGsAHIxzB

Malware Config

Extracted

Family

remcos

Botnet

matarifeJULIO5

C2

matarife.duckdns.org:2798

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    20

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZQGP5Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Documento_digitaL.SCR

    • Size

      1.4MB

    • MD5

      850d9e8271dcae3b78c922aeddd9f743

    • SHA1

      95971cc0caf853f0e4750cdaff5874b4adc2a4a3

    • SHA256

      0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326

    • SHA512

      0e4af245411c80d1cdc52d72a16fddbad41a3dc9972bdb8a25fe9f50721c8306eebb17ee30c1a504e370ff7cb8175e411c4b13188336f093269468906500b5ef

    • SSDEEP

      24576:9VgmnudJ41JhQ0IM6AYsLKBL/7DciY5tTb2p0UdEWVnK:9VSr4+M63ci6b2pxI

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks