Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    CARPETADEFOLIOYACTAENTREG.exe

  • Size

    1.3MB

  • Sample

    230709-l7lv5ada7w

  • MD5

    f078c4f43ad9bd1eaf54946c84fdb78e

  • SHA1

    9d3f4a0595af9c10731ea2e9f198c462b2d73dec

  • SHA256

    1c9708a7c1cca2ffb1fb6711828553521a81c313bd3dcefba441e546d2457e5d

  • SHA512

    079b649c6fd09a8df4b7cd032b6edd8b555948d5cac47a18afe3aa44b0ef1aa937ed3bb4f1b2108577a237181cd66055c71f7a21c84b8453c3ab3b83d55f72a1

  • SSDEEP

    24576:9VgmnudJ41JhQdiZoGDbbtadASRTcibq/7dTYpzWRuhIDTAekW:9VSr42+vtMZNDbydTQWRuaDTJX

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

nj0509.duckdns.org:0509

Mutex

6ce9672712ba4490be

Attributes
  • reg_key

    6ce9672712ba4490be

  • splitter

    @!#&^%$

Extracted

Family

remcos

Botnet

matarifeJULIO6

C2

matarife.duckdns.org:2798

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    20

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KM2G8Z

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CARPETADEFOLIOYACTAENTREG.exe

    • Size

      1.3MB

    • MD5

      f078c4f43ad9bd1eaf54946c84fdb78e

    • SHA1

      9d3f4a0595af9c10731ea2e9f198c462b2d73dec

    • SHA256

      1c9708a7c1cca2ffb1fb6711828553521a81c313bd3dcefba441e546d2457e5d

    • SHA512

      079b649c6fd09a8df4b7cd032b6edd8b555948d5cac47a18afe3aa44b0ef1aa937ed3bb4f1b2108577a237181cd66055c71f7a21c84b8453c3ab3b83d55f72a1

    • SSDEEP

      24576:9VgmnudJ41JhQdiZoGDbbtadASRTcibq/7dTYpzWRuhIDTAekW:9VSr42+vtMZNDbydTQWRuaDTJX

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks