Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
df0dfed7d9bb8ffc5ac307ef14dd86ed.bin
-
Size
273KB
-
Sample
230816-cvmgfsed93
-
MD5
399807473e4283d583609825c32eace9
-
SHA1
a836c4c3841f3ad06ff15683c92fc959ea0ebda7
-
SHA256
42e9454763fcdfe8994cb219ea2f38a71249be92f47bcf6047cfae997b0a46ca
-
SHA512
e9e54395fa017b3c7bfe90a5d6e06f2cf603ff9a20439d82369debf99020eb74c9b85b6748f4e394c4b3c69f10e9b3bcdba0eebb21cd85dab077f95204acda07
-
SSDEEP
6144:PN5YZQ8oeMIYv0GXVGqZmTJkDtUaZLzuFXPl0JM1Mm20SgG:PNyQZKYVGclhPzQflwM160e
Static task
static1
Behavioral task
behavioral1
Sample
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
Resource
win10v2004-20230703-en
Malware Config
Extracted
remcos
LOGS
23.19.87.242:1987
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
chromes.exe
-
copy_folder
chromes
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-QBX5A0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
-
Size
338KB
-
MD5
df0dfed7d9bb8ffc5ac307ef14dd86ed
-
SHA1
ecf99b4bae23c5a2da6866fe20ca86a1a3bec012
-
SHA256
087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0
-
SHA512
d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228
-
SSDEEP
6144:cmOPKXTWo8aBPyT2PvEIOzalVa0vjntlcrjDpWgs/oiTrVYdHjKHnLXmfIEM:zSo8aBPk2nEhelRTtlc3D8gkoiL/
Score10/10-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-