Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fea2216981e8976a502c79405747b623b22f0492d0ea779eae026249f64ca908

  • Size

    798KB

  • Sample

    240515-k6ly3aae6v

  • MD5

    91cbe2fb626a2f78f89e3218ab473e4b

  • SHA1

    5deb6f4ac80752aa4a3d66514da1d76de3b34911

  • SHA256

    fea2216981e8976a502c79405747b623b22f0492d0ea779eae026249f64ca908

  • SHA512

    fcf66c1de29ee7c4d5cab78c189c4ef064913df4c8a08705837acdd7d24d4e691f8d2f082ed2aafc3d2bb55bbd5534a601ffaffe55bd844c4b0746a6fde196f3

  • SSDEEP

    24576:in9S9P3rqU2xDU8ICxcXdq2MqjVE9CRlezOrdML:ikR3rMxQpN5cCfeCrdML

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

taker202.ddns.net:3017

taker202.duckdns.org:5033

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    xmnw-AAJ144

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Purchase_order_PO1989404.cmd

    • Size

      4.5MB

    • MD5

      4f9b4171ee4728182a576b52c934da7d

    • SHA1

      d58845c88d55aac067b919a5b4bde79d228cf5b6

    • SHA256

      bd4ac830b43dc0f7f7ed19e1cb9b51783bfe36dfd8e58cc93a2e139fcce2c1e8

    • SHA512

      7782a15c610d419935960f8f73243c9016441476f666c99bb71de4234f9006aa94bdc643ecda6f274187a8f41953796ea089abc20a001c771776d9b4d2355f0a

    • SSDEEP

      24576:ajN3QGmU4n/+6JVT+avOgeF/ehZ2gCrxBJGhRCAQ:iFQGmdn/+GdRvOX9gCqQ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks