Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).com

  • Size

    5KB

  • Sample

    240220-mj7y5afe93

  • MD5

    10531525068f2547147c84cf4b464f75

  • SHA1

    7c05bb4ee5c49eef647837347825c19a1756d73b

  • SHA256

    2821d789c0b37d3ed136eebd66c36216386fa9d4935fcd733b1e8ef4fd388d36

  • SHA512

    d6a9e15f614aab2a2baecb832f5c7ba642893fd62d353bac09d1a247a834ef0e4ec781551e6a5ed9deb97308f19cb333b52f71e82e5ff2536bdcc2d843350fa5

  • SSDEEP

    48:6yZEbVTWEkfWXedefzwYczF5ejsFBCJwUhloy54Rn6l+spsVtiOl1VeRqFSpfbNM:sQEPeoczo4YwUhuyy++BvVeTzNt

Malware Config

Extracted

Family

remcos

Botnet

FRESH

C2

igw.myfirewall.org:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4HN46L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Mit Technologies Iran - MIT PO_TURK00926600.pdf(73KB).com

    • Size

      5KB

    • MD5

      10531525068f2547147c84cf4b464f75

    • SHA1

      7c05bb4ee5c49eef647837347825c19a1756d73b

    • SHA256

      2821d789c0b37d3ed136eebd66c36216386fa9d4935fcd733b1e8ef4fd388d36

    • SHA512

      d6a9e15f614aab2a2baecb832f5c7ba642893fd62d353bac09d1a247a834ef0e4ec781551e6a5ed9deb97308f19cb333b52f71e82e5ff2536bdcc2d843350fa5

    • SSDEEP

      48:6yZEbVTWEkfWXedefzwYczF5ejsFBCJwUhloy54Rn6l+spsVtiOl1VeRqFSpfbNM:sQEPeoczo4YwUhuyy++BvVeTzNt

    • Detect ZGRat V1

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks