Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    ORDER.doc

  • Size

    73KB

  • Sample

    230817-gn7ahaff82

  • MD5

    c01c96ba7765c7b8190bb76aab9d647f

  • SHA1

    b142abe8075c13fe1476d095a2980f67ebd4d699

  • SHA256

    7c9a232eaf99f7fbb83cb964272b889f0e5b27176c556394f317c6dce3745f9b

  • SHA512

    282f8305acdf70a20a437d8fa67fd4674b9e2d62f81ff8cf9f55c1ff7e31028068b9b22a0a7b989881bfe6a328c4c3abcf11df3b699a0f2ae74ea1a718e3566a

  • SSDEEP

    768:7wAbZSibMX9gRWjB4HWvfSKuzIaQ3eZ9cB:7wAlRC4HWvMr9w

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

96.44.132.182:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9OIUSL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ORDER.doc

    • Size

      73KB

    • MD5

      c01c96ba7765c7b8190bb76aab9d647f

    • SHA1

      b142abe8075c13fe1476d095a2980f67ebd4d699

    • SHA256

      7c9a232eaf99f7fbb83cb964272b889f0e5b27176c556394f317c6dce3745f9b

    • SHA512

      282f8305acdf70a20a437d8fa67fd4674b9e2d62f81ff8cf9f55c1ff7e31028068b9b22a0a7b989881bfe6a328c4c3abcf11df3b699a0f2ae74ea1a718e3566a

    • SSDEEP

      768:7wAbZSibMX9gRWjB4HWvfSKuzIaQ3eZ9cB:7wAlRC4HWvMr9w

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks