Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Pedido0922023_xlsx.7z

  • Size

    409KB

  • Sample

    230922-s7q86sha41

  • MD5

    40cafd5bd1115f469c79af9b771b9ec0

  • SHA1

    6f6aa00dd40eb1b9e288f5cec2dbf4f83ddc8c94

  • SHA256

    c74129b7d96e5859f57324918076b665247524663105d93a8bb546d1711fce46

  • SHA512

    3535fed17d4ea7771b8642f429694402c5deabccd60c3f509a26c0bfd2d8bd8358f34742172e43ca7866d74a06d12e5ac2993741c53088bebf1c214d26d3a2b4

  • SSDEEP

    12288:kJ1s6VWmxj7pYkHKler/FU91JXDTKsuKLZ1My9C+n:SjYvIZU91JzTthLf/n

Malware Config

Extracted

Family

remcos

Botnet

rj101

C2

193.142.59.6:9494

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-SISLEN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Pedido0922023_xlsx.exe

    • Size

      1.2MB

    • MD5

      13edbab0f54c88b7d5494995732d8bc1

    • SHA1

      43927cc0d33769d9b0634ec9bc364ba6e25a6151

    • SHA256

      b6175aa04f79e44af020154cbec1baaf6e4e60de42b69b32b37bd8fcd64d5bac

    • SHA512

      2f23c0bc843d1234dd34201450edfce4d2ff136e5f420a2cfb9a3dfcb97d96c8936cfb0ff7123919d102c4915e7396dc811c37cc12287130b8a98328be21bfdc

    • SSDEEP

      12288:dN7i6PeBQ9p1nU+Ji+/F1u1mlNHbsgyAvBvvc+X2B+d4ELSQZBLLKbIt383739Da:d5i6lnUr+fuMpNDJ2UxtkRN0D9h1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks