Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    77b6482e415499d039fd94dc2c588217bb71bd6f3da0747c53a439bc9490fbed_JC.7z

  • Size

    1.1MB

  • Sample

    230823-tvaakafc8s

  • MD5

    f3f414f46daa3779ea3103c418b35d0d

  • SHA1

    2b3adc2bc3f4e40a855252a7931b8e24475d7488

  • SHA256

    77b6482e415499d039fd94dc2c588217bb71bd6f3da0747c53a439bc9490fbed

  • SHA512

    e23ac0f361eb1e8cb07a66fbdda6cae6395739bbe49ae7ff2f8012a764ff680e6df977ec272f74d1e498e2f5a48ddf41a999893ada9508ccd7917e2977e238b4

  • SSDEEP

    24576:OjqxtwQzFBi3ZXkcWFSlqbh/gAZ3QZYPFznOSa5:OG8QzFO9kcWt/Z3QaPROSa5

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

closen.kozow.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-V0K781

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Rooming list.exe

    • Size

      133.0MB

    • MD5

      6b405cc5058f539118b7bf278e5ec92d

    • SHA1

      32576751854860acb742f71bd1aef7cc6accdbfc

    • SHA256

      6460ce4d46ea972d0296bfbfd2315b2686021380c4d22ceb0c0a987faa749fd4

    • SHA512

      55393ecd988d2beae68897d32287ac57b9d220534cc17dc3a82ca4b201b99d847b8247c0993a813901658953a25e08da35583a82a8e4dbed1f111e639a33a125

    • SSDEEP

      24576:BSoUQ4BU6CXEFENRLBZE3RmZDWkhkz+t/cOlIoxXz1WvDuS7K:Ib4JBZEBam+t/zFX0LuEK

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks