Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    CONSOLIDADO DIGITAL DE DEMANDA 12 DE JULIO (1).tar

  • Size

    1.2MB

  • Sample

    230713-tqqrrahd35

  • MD5

    92715c671c4879b4ec0831eff22d20c0

  • SHA1

    0edefe7b413fd79214d2f96204d5ebd6c8675e21

  • SHA256

    9eceaed803e69f79780b296bc7842a424afaa0761698466630f230a6d138c0cf

  • SHA512

    2f8531d18c0a393b96f0722c48d70693c6fffeeec0933adccf83ae2aea7e3f766f6fe9e61fec2b6ad89eec15bf50300d22cabcb9131bc1f3843d405b432d5450

  • SSDEEP

    24576:cCdKVg+CWibFB7aYlcC8gTcxcsH6yTyIhBl5x6OOl3:cCIUuGoxWyTdhBln67

Malware Config

Extracted

Family

remcos

Botnet

MEXICO

C2

uyfijbuhvuyguhjvuyhuhbg.con-ip.com:1883

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3CV4OK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CONSOLIDADO DIGITAL DE DEMANDA 12 DE JULIO.exe

    • Size

      1023.9MB

    • MD5

      9780f8e4adc6012e0661b0a343474d40

    • SHA1

      8393243c3327e934e6bccb15141820663d55a7b5

    • SHA256

      45287b1123b46c3de113324bb247c08643e27fa743e253224c5c5a093e5d9181

    • SHA512

      10ec310bd8bcaa3dabbef138dc1b49177d3cd548926d9b7e99d81c54ca7533ff61fe49bf20af03c876ecfc28f506272fb0c6c99aebc01131795ac37fe06a6978

    • SSDEEP

      12288:f2+avXb5PBdKkQuWnOmhIx61axFbOXBR/O+yNUMIvkaW0o:e+MB7RQuO11abbqPMNU3vkn0o

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Registers COM server for autorun

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks