Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf

  • Size

    73KB

  • Sample

    240425-bfwwxacf6v

  • MD5

    f97c50feb93e72f7d26909c1180de9f2

  • SHA1

    809c718c1685b18ace672b7aae0a3b9be1b9627b

  • SHA256

    0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7

  • SHA512

    3a02c2538959001e1dd45667b362df7c967bee68e939919b58bd593cde9cc653201c2bb0a64d408d8c7e5d5c80f849b8af6303998013ffcd4562bc1df49e7796

  • SSDEEP

    1536:pUlKpWpupfL9+HlHkDOEAgG+Re7LGhzgTExsjaY9qyrcseX1VgLY:zWpupfLQlHHngxRoKhzgTq4rBeX1VgLY

Malware Config

Extracted

Family

remcos

Botnet

Zynova

C2

remcjulia.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-76C83U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7.rtf

    • Size

      73KB

    • MD5

      f97c50feb93e72f7d26909c1180de9f2

    • SHA1

      809c718c1685b18ace672b7aae0a3b9be1b9627b

    • SHA256

      0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7

    • SHA512

      3a02c2538959001e1dd45667b362df7c967bee68e939919b58bd593cde9cc653201c2bb0a64d408d8c7e5d5c80f849b8af6303998013ffcd4562bc1df49e7796

    • SSDEEP

      1536:pUlKpWpupfL9+HlHkDOEAgG+Re7LGhzgTExsjaY9qyrcseX1VgLY:zWpupfLQlHHngxRoKhzgTq4rBeX1VgLY

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks