Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

JY-PCB-240109A-3.exe

windows7-x64

10

JY-PCB-240109A-3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27062024_1711_27062024_JY-PCB-240109A-3.7z

  • Size

    6KB

  • Sample

    240627-vqp1ws1eje

  • MD5

    7da235e1de9607c834e07f22fed9ef64

  • SHA1

    21dedcfc2defc51b20f9d92c6d40a68fc827684c

  • SHA256

    c362c9041673c2475a3aecfa463941fde1935d452a5489a6f2a6a997053c92cf

  • SHA512

    8c8733bae07831fedee2ed75dd0337a8ce2c17a2a9fbbbebe376a3fed9d2ce7b3be80b1cd684839cb09cdce56f17b4d35c58f8ad0f45436a8dcef0d491f137f6

  • SSDEEP

    192:PmxHOKqIdcHSG3q5kRT8x6LmvTeYQLHyz/wa5X:CuK7MSG0M9CvTe9LSbvX

Score
10/10
remcosremotehostagilenetcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.133.116.123:63650

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3BFGTU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      JY-PCB-240109A-3.exe

    • Size

      21KB

    • MD5

      e05b80c579472d630f481820526c75f5

    • SHA1

      7dca7c4bda5302e67ec87073b040ede2be781a6a

    • SHA256

      2e410769ac9f0e71df08fda7115ccc473815a0f200a19059972d2c7b6190af4f

    • SHA512

      c2b2e567713e3c712a6611a1255270e6695b26e136c80428860fe86a46e9eab5e589085c7bcc5213e0218a67e99949efaf5109fed2975668e8ecf87d11612feb

    • SSDEEP

      384:ilFLVGZkhqIg8hR2GZsHEuymVr3JmJZzyF/O7v6qEfTivVqsSqncKxXFY:iTiYxBu93JmvyqEfuNqUcKxXFY

    Score
    10/10
    remcosremotehostagilenetcollectionpersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.