Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

043c2ea747...2d.exe

windows7-x64

10

043c2ea747...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20/03/2024, 02:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe

  • Size

    233KB

  • MD5

    b0e371680c2c465a447d8cb4ad0ffa57

  • SHA1

    b622b7dfb03b70219fe047abd365fe88a4316394

  • SHA256

    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d

  • SHA512

    b6956d170613bfae4afb1754bf9a2bdcc8ebce5a4e4c2d8052921a929969bf67f8defa8ad6f396fedf45dfd65d70e19bbe2998f49b6f16bb3167b392fb231577

  • SSDEEP

    6144:4mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:tvlX8i8RB5JvADGGnj

Score
10/10
remcoschukratupx

Malware Config

Extracted

Family

remcos

Botnet

chuk

C2

mexbar.duckdns.org:3119

chukwuonye.duckdns.org:3241
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-S6EIWK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 14 IoCs
  • UPX dump on OEP (original entry point) 15 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    "C:\Users\Admin\AppData\Local\Temp\043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1924

Network

  • flag-us
    DNS
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    mexbar.duckdns.org
    IN A
    Response
    mexbar.duckdns.org
    IN A
    197.210.55.48
  • flag-us
    DNS
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    mexbar.duckdns.org
    IN A
    Response
    mexbar.duckdns.org
    IN A
    197.210.55.48
  • flag-us
    DNS
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    chukwuonye.duckdns.org
    IN A
    Response
    chukwuonye.duckdns.org
    IN A
    94.156.71.212
  • flag-us
    DNS
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    chukwuonye.duckdns.org
    IN A
    Response
    chukwuonye.duckdns.org
    IN A
    94.156.71.212
  • flag-us
    DNS
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    mexbar.duckdns.org
    IN A
    Response
    mexbar.duckdns.org
    IN A
    197.210.55.48
  • flag-us
    DNS
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    Remote address:
    8.8.8.8:53
    Request
    chukwuonye.duckdns.org
    IN A
    Response
    chukwuonye.duckdns.org
    IN A
    94.156.71.212
  • 197.210.55.48:3119
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 94.156.71.212:3241
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 197.210.55.48:3119
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 94.156.71.212:3241
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 197.210.55.48:3119
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 94.156.71.212:3241
    chukwuonye.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 197.210.55.48:3119
    mexbar.duckdns.org
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    152 B
     3
  • 8.8.8.8:53
    mexbar.duckdns.org
    dns
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    128 B
     160 B
     2
    2

    DNS Request

    mexbar.duckdns.org

    DNS Request

    mexbar.duckdns.org

    DNS Response

    197.210.55.48

    DNS Response

    197.210.55.48

  • 8.8.8.8:53
    chukwuonye.duckdns.org
    dns
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    136 B
     168 B
     2
    2

    DNS Request

    chukwuonye.duckdns.org

    DNS Request

    chukwuonye.duckdns.org

    DNS Response

    94.156.71.212

    DNS Response

    94.156.71.212

  • 8.8.8.8:53
    mexbar.duckdns.org
    dns
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    64 B
     80 B
     1
    1

    DNS Request

    mexbar.duckdns.org

    DNS Response

    197.210.55.48

  • 8.8.8.8:53
    chukwuonye.duckdns.org
    dns
    043c2ea7473300aeef75d4347969ea2c54784e16892fb535b293b9dddb32b02d.exe
    68 B
     84 B
     1
    1

    DNS Request

    chukwuonye.duckdns.org

    DNS Response

    94.156.71.212

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    0fb0c230fedbf52184070033bd20b072

    SHA1

    1dfa4921757d23c2bd01afe40d7996dc23f4833b

    SHA256

    f62c1b8d80567acb17b522778a1b99779e96fb0a6eed7a15f9cba1830935c1eb

    SHA512

    480aed33acc943ec4c48982cf03fa7fa74a7f2bd0a7fcc7723ec1ff0bc44b11dd818af29669f4d2353d253febb22cfa0fbd513ac3f2ca3182a0cc8193d4548c1

    Download Submit

  • memory/1924-21-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-30-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-3-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-9-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-12-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-15-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-6-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-24-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-18-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-27-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-0-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-32-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-36-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-39-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

  • memory/1924-42-0x0000000000400000-0x000000000048A000-memory.dmp

    Filesize

    552KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.