Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    df0dfed7d9bb8ffc5ac307ef14dd86ed.bin

  • Size

    273KB

  • Sample

    230816-cvmgfsed93

  • MD5

    399807473e4283d583609825c32eace9

  • SHA1

    a836c4c3841f3ad06ff15683c92fc959ea0ebda7

  • SHA256

    42e9454763fcdfe8994cb219ea2f38a71249be92f47bcf6047cfae997b0a46ca

  • SHA512

    e9e54395fa017b3c7bfe90a5d6e06f2cf603ff9a20439d82369debf99020eb74c9b85b6748f4e394c4b3c69f10e9b3bcdba0eebb21cd85dab077f95204acda07

  • SSDEEP

    6144:PN5YZQ8oeMIYv0GXVGqZmTJkDtUaZLzuFXPl0JM1Mm20SgG:PNyQZKYVGclhPzQflwM160e

Malware Config

Extracted

Family

remcos

Botnet

LOGS

C2

23.19.87.242:1987

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    chromes.exe

  • copy_folder

    chromes

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QBX5A0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe

    • Size

      338KB

    • MD5

      df0dfed7d9bb8ffc5ac307ef14dd86ed

    • SHA1

      ecf99b4bae23c5a2da6866fe20ca86a1a3bec012

    • SHA256

      087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0

    • SHA512

      d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228

    • SSDEEP

      6144:cmOPKXTWo8aBPyT2PvEIOzalVa0vjntlcrjDpWgs/oiTrVYdHjKHnLXmfIEM:zSo8aBPk2nEhelRTtlc3D8gkoiL/

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks