Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
877ab6295833fcb788316b1cbaa42602689cba90d069a4454335edc7e8fa4b88.rar
-
Size
756KB
-
Sample
240214-f9p3nsbe72
-
MD5
6f4fd329383f57e03850185d0771ae4a
-
SHA1
45beec001a2af577f2e2aed2422579cdc2ceeb76
-
SHA256
877ab6295833fcb788316b1cbaa42602689cba90d069a4454335edc7e8fa4b88
-
SHA512
99d33aa7c23dcc963b0329302c7253b6a07b457fa46cd199af5ba16a61205c8dd29d55f4bcd0d1461df5a9dee879f22046fc0e56777dfed464fdadba35f47c1f
-
SSDEEP
12288:q0no5xwgZ1ueWsTtZu+KYo7nI064UFgHlYuOso+FSYdrchlLMiN6S1i6RXiK8sPM:q+ORZ1uTsxZu+D06HuQ+FSYNI151i6R6
Static task
static1
Behavioral task
behavioral1
Sample
INV-M673778.01_CRM03283275.bat
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
INV-M673778.01_CRM03283275.bat
Resource
win10v2004-20231215-en
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:55677
127.0.0.1:45671
mypersonrem.duckdns.org:45671
mypersonrem.duckdns.org:55677
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-146CM0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
INV-M673778.01_CRM03283275.bat
-
Size
1.7MB
-
MD5
4684b78291fbd184c63fc72362ad6638
-
SHA1
18b9acfef0f9cb0bc368a3f7bab870b5c8d0ea45
-
SHA256
104dabc5458396ad4bc4bd595a18dd578a0fbbabcf2dc2446fa25d4dd3cd4395
-
SHA512
008d9be60f83bbcb8923bf63c19940e25b53c4df2ff86c3f6ce8c46d2570eebc47774179a99d05c96e87e01e40b48e8a154d4ba412ad8494f4eef4b995d24eac
-
SSDEEP
24576:ibbzU4JA5g17ST/0F1tjX48FSYlb+7jx9N29q6VeR6:inBA5g1uT/G1tjX48hw7jB6g8
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Detects executables built or packed with MPress PE compressor
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
ModiLoader Second Stage
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Creates new service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1