Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722.vbs
-
Size
114KB
-
Sample
240809-b11etsvamp
-
MD5
ccde7ef0e90a5a62394fafe77c7eff7e
-
SHA1
197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003
-
SHA256
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722
-
SHA512
047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe
-
SSDEEP
1536:FkLcccOgt5pzGUGwIaymHVUJW4Wrle/PhG+/kery+bG8:8gt5pjGwIaymHdS7b
Static task
static1
Behavioral task
behavioral1
Sample
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
http://servidorwindows.ddns.com.br/Files/vbs.jpeg
Extracted
remcos
RemoteHost
host.wemnbbsweoipmngbyutrdcunbgrtjeroendns.pro:26734
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
word
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-5W5YKY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722.vbs
-
Size
114KB
-
MD5
ccde7ef0e90a5a62394fafe77c7eff7e
-
SHA1
197cbc0c7ab873fd02bf2b8a3a17d7b0f44bb003
-
SHA256
cc67b8be8fc325cf915731f69dd2c36d77c12ea1819726e70ed57170fafd1722
-
SHA512
047baeb2e3d183605346025f86df3042f596bd2505adf7597ffb2fd972acf9db6bd62d03a3f9b52c9a9ffabca743d5e3c359a5a12fc79a3d6e93fdc8d7930dfe
-
SSDEEP
1536:FkLcccOgt5pzGUGwIaymHVUJW4Wrle/PhG+/kery+bG8:8gt5pjGwIaymHdS7b
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Suspicious use of SetThreadContext
-