Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d4a1576213580954e906144a0434fc9df19ce746a726504e70597c58ce9a4fd5.gz

  • Size

    1.8MB

  • Sample

    240213-gap43afe9x

  • MD5

    d280973512d5e13bb7547d9af39db3eb

  • SHA1

    3a505dfbee6e79a1d64c600eda8ceca5e9649c53

  • SHA256

    d4a1576213580954e906144a0434fc9df19ce746a726504e70597c58ce9a4fd5

  • SHA512

    5da0aaf48f3aaf1a7dd8950c8c1516b864b41a851e72dbf610e6344aa26a559f555f4d3562a90c65ecaffcf7b5782f2935cee0078afc35eab86e80e774e6fdbe

  • SSDEEP

    24576:gzH9OvVcTNP8bqo7VEiO2g263c/pQEDr+pnqi6msHDUZ0b:esINUbqwVEz3oQ3nqi6JDQ0b

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

lora1.taiwantradeglobal.com:2404

lora2.taiwantradeglobal.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-R9UMK0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Purchase Order-ListSamples_xls.scr

    • Size

      932KB

    • MD5

      acf1a5648f805a2e245c5ca3ed592298

    • SHA1

      c6f2fad033b2b6aa910a75c5cd3d94184406fde7

    • SHA256

      1351e61c2b4c13ccf8b28d7f1f9aa82f7cce424e723a30bacbfa404d1d98fa6d

    • SHA512

      5e28c34f7f1a46cf41af0d51c5fb941c811212a0c96f933e6f9464e143b27fef8412a63e0df0cd11894a7df171759284d22f9eb947921d0c9d5c0f7e330e7ea8

    • SSDEEP

      24576:OtK2xcQUuT2bpG4tDjoL4BjCtLPM3pP3j++VTZ:Os2xL2lG4Vg8KLP4P3jrZ

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      Specifications.scr

    • Size

      1020KB

    • MD5

      f03e14fede667def5971cd05001ac26e

    • SHA1

      c3b194d8b0d66a3a7aa540123f9191f06632c31a

    • SHA256

      a090d4d19e61d32cc67cbbcd57124becd412d1e9f7d8d8ed896da4d2d689dc7f

    • SHA512

      e38eaa3b4720cd0e0fd002f9d9067991c7b2ded1335a0a8d8872b96ec498a3231bdf99c1347e701b0bf23631e27a2569d62b0671a009562f9effb932c2ff3ff1

    • SSDEEP

      24576:MtS2xc3m8Y83BarJ3OJJwFcx9wyeZBMI4mCJFix:MQ2x+b3BaN3mwF6yJXWFi

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks