Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Офіційний запит 398м24-7, № 399м24-7 .pdf.exe

  • Size

    1.6MB

  • Sample

    240806-lvwvkazele

  • MD5

    22baf6cfab80de22a7d00099d3400ab6

  • SHA1

    1a47982298977bc37e9e5d732a3aecd62e1a5840

  • SHA256

    5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d

  • SHA512

    701f1903455b24a77ba09ebb8fed8097146f39220b52fce84ee6999192f39a4af4b60f37e8db376e755835825c78f3b0bd7320febecf0293748d8cf3ccb53dfa

  • SSDEEP

    24576:/7tqPO/71AS1UmAZLE6GwB6SuRoEPmXG1Y5j9Z3Q+BYPGK4Y81htTIcDFO8csqJ:Rj/zRAZLEqcoAmXKYZrQ+iP6zacTVqJ

Malware Config

Extracted

Family

remcos

Botnet

HTS1

C2

77.105.161.52:8080

77.105.161.52:80

77.105.161.52:4899

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    HuN-4TNFT1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Офіційний запит 398м24-7, № 399м24-7 .pdf.exe

    • Size

      1.6MB

    • MD5

      22baf6cfab80de22a7d00099d3400ab6

    • SHA1

      1a47982298977bc37e9e5d732a3aecd62e1a5840

    • SHA256

      5e30143f53af82ff891d9801ccff6b30e3dc7f3401bba597accb26e2d3b8b25d

    • SHA512

      701f1903455b24a77ba09ebb8fed8097146f39220b52fce84ee6999192f39a4af4b60f37e8db376e755835825c78f3b0bd7320febecf0293748d8cf3ccb53dfa

    • SSDEEP

      24576:/7tqPO/71AS1UmAZLE6GwB6SuRoEPmXG1Y5j9Z3Q+BYPGK4Y81htTIcDFO8csqJ:Rj/zRAZLEqcoAmXKYZrQ+iP6zacTVqJ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v15

Tasks