Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3758ece40a...0b.exe

windows7-x64

10

3758ece40a...0b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

  • Size

    1.0MB

  • Sample

    240213-c5t92sdb48

  • MD5

    e5d2981fd9c531b3cfb780cf781bac91

  • SHA1

    aaf7084c369138eb5588051eda8aec9aa3c4ac26

  • SHA256

    3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

  • SHA512

    ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539

  • SSDEEP

    24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo

Score
10/10
remcosp2-bincollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

P2-bin

C2

84.38.132.126:61445

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ANE1CN

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b.exe

    • Size

      1.0MB

    • MD5

      e5d2981fd9c531b3cfb780cf781bac91

    • SHA1

      aaf7084c369138eb5588051eda8aec9aa3c4ac26

    • SHA256

      3758ece40a4e7fdefd1d742e694dc86ddbd87f1d78bafcfb48934c450630d10b

    • SHA512

      ec10e5de423564c17caac9e3c8a4ab2d1ed51882c9cfe145374d69e9f18382d7bd23d370f0389fb56c3b77073da11351978e803dc53c7135e618bbf0507be539

    • SSDEEP

      24576:Aazz87bccsW43UyDBU7RCFYK9i3iOpOnC+yqiQDi/DtS:AOz8732BdUCYK9i3X6CPqinDo

    Score
    10/10
    remcosp2-bincollectionratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects executables built or packed with MPress PE compressor

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.