Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

RFQ ETMT 0...b).exe

windows7-x64

10

RFQ ETMT 0...b).exe

windows10-2004-x64

10

jjuhibpwa.ps1

windows7-x64

1

jjuhibpwa.ps1

windows10-2004-x64

1

wnnqrg.exe

windows7-x64

6

wnnqrg.exe

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ ETMT 009462900_pdf(58kb).txz

  • Size

    478KB

  • Sample

    240111-q2z8sahgc2

  • MD5

    2943ffe44e62980ec150a5149c4ca270

  • SHA1

    74e7deb5a9d9014a93f82c999848792afb87cc4f

  • SHA256

    7c8d1f5e542c876e083d5356b803f94b96803545e441b4b7c260ed1de52da389

  • SHA512

    32f16f7eecab5e584ad083750a7f2c983150e0fd59a16356dc7b8a819b9065800d255ecb907a4f95adbbbf434ec9600cbd20d4e04a1bd4db1ad3cf0961fda9c6

  • SSDEEP

    12288:jpQg+3SnWXfz9dybhBlrH9POVtPO8LDS6MrPUqwFkOfCeupH:j+jinyfz9UxkVtPvOR/feU

Score
10/10
remcosfreshpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

FRESH

C2

igw.myfirewall.org:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    outlook

  • mouse_option

    false

  • mutex

    RmcbWqr-YNNHMH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ ETMT 009462900_pdf(58kb).exe

    • Size

      499KB

    • MD5

      8db92bb4d4f088c378b9c430b72ac827

    • SHA1

      41cc52c3b467aac55ff57ad9d1fd7223fef7ee70

    • SHA256

      2fb6f8d101edc0b6a053d332cb32d0134f5c66629970cf411f34f437928b87a4

    • SHA512

      2fe47dd6cc30575f8ec65ee5287cc7e345888efba328fff73a339bbe7e748d588186763c5b3d69cd7ca3c2a40a047cac4d755591a29c690bbb01db71a97fbd09

    • SSDEEP

      12288:YkSnWVfzb9ybh95rH9P2VtHO8LVS6krP6qwFkOfWeuteV8aV:YJnefzb0toVtHvA3vleK0

    Score
    10/10
    remcosfreshpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      jjuhibpwa.mlg

    • Size

      503KB

    • MD5

      3118a22f7f27bc50545d6a715eeaf540

    • SHA1

      5e08ab4614a68d6a1c971b00026e5a522997e551

    • SHA256

      6a522d00452a1638419a54a63908d0e21a6d5bb7713e86e6980082bf36121e36

    • SHA512

      ec7da5c26b91509059c8610afec6b6dcceb7413241fc3395fa8449d42eebbaf9df5d096a17154b0af13cf71ee3ce4b728e777bd3858fbfcb29c898addf195ddc

    • SSDEEP

      12288:Uc3Flf8fdbGHoUrATLoaxnXXG7pZBrfcUZTDvQH:Uc4fxUrATG5rfPP8

    Score
    1/10
    behavioral3behavioral4

    • Target

      wnnqrg.exe

    • Size

      62KB

    • MD5

      ad65f79ab6bd2884461a198e1d77ef76

    • SHA1

      f7ac4388da64c17f92f0c10803de57abad060bb9

    • SHA256

      c545d7f6a0c7da83bdabf56728c240bca8dc9f86416123efde1a3e60d87626ce

    • SHA512

      7da047e3ce0ffe6d01e603092f12acfa98499b0407ba6b328acd94eb7894f7009163804b6fd645ae6b6d0deb98091cacb71b53c0585381fdb962a205e6a8440e

    • SSDEEP

      1536:Px+QC21XgNhnNiBiSXM4dmxSxh1eKMNDYVmtM:PxdhgNhNiB7drx6KMNay

    Score
    6/10
    persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks