Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    payment98402.exe_pw_infected.zip

  • Size

    485KB

  • Sample

    240220-sjtpdsah59

  • MD5

    28c323d39428df38a71502a64ce547ef

  • SHA1

    2e53adc79f104dd3a0ff4634283b8f4a90ea821c

  • SHA256

    b76730b39b05e14a80a48c8e4e008df21e59950b9cb47592fb3b1e88c25e746a

  • SHA512

    d815ccd89ff656b07448f247a853f0862f3cae3c593ad0b10da1086dd01922bc34d58f645c9e3e342d1eb3f11461cfc84e1e65f190ca776755accc0a40f6270b

  • SSDEEP

    12288:WV+JKlea1vfm5wyiscqxCGLi4gG7Ji65zGrczKK:TKlea1vfm5w3v1H4HigKK

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.77.243.184:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-VU7JGO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0x0006000000018714-24

    • Size

      516KB

    • MD5

      f99b43eb35c35085a3a49efe77800d70

    • SHA1

      08635081e80e787603325cb7b99e0090853f7670

    • SHA256

      ecbff1a598be2581f8692bba7b07a058f951bab59893cd675b2d8c8b1d326787

    • SHA512

      0ad4dcf8e69bb9cca9d23edb94edd10cedad64938461c44493883445c44872bf41447c2839df0b1a86a9dbd7c7af8fafc4483caf44b3450e38eb955a6fac684f

    • SSDEEP

      12288:pg0toCB9ClTqt57zxVb48gCtU6fTECS1uC:7WTRqbHLU8gX6NJC

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b38561661a7164e3bbb04edc3718fe89

    • SHA1

      f13c873c8db121ba21244b1e9a457204360d543f

    • SHA256

      c2c88e4a32c734b0cb4ae507c1a9a1b417a2375079111fb1b35fab23aedd41d9

    • SHA512

      fedcaac20722de3519382011ccf22314af3edcd11b69f814db14710966853b69b9b5fc98383edcdb64d050ff825264eaba27b1c5adfe61d1fc9d77f13a052ced

    • SSDEEP

      96:f7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNPS3e:zXhHR0aTQN4gRHdMqJVgNPR

    Score
    3/10
    • Target

      Achomawi/Kirundi145/Underpricing/ekstremismers/Eksekveringers.Woo

    • Size

      26KB

    • MD5

      47d2425b039972b3e7d672afaa368497

    • SHA1

      4f0ecaa75256fb2907f2a55cac55033929f59363

    • SHA256

      949cf299f52fffc2a4fe702404688e35372c3240540c8aefe733ce93f8e18774

    • SHA512

      030acafe770ae0de5c4587e4faa11653b481840ad44f601a0faa05e4d4faf2da44f0c48d111181ca01f01bff42379e5e3f1bf872049105003816e6f8126bf8d2

    • SSDEEP

      384:7cmAlqpqqNLqe5GXd7qFa32/83gfkKd8PFJrOXxV0q67nqM8SeWWrd:7cm4qpqQLP5GXBqFZwgTqPFJrOZEnqdJ

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks