Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    13082024_1645_13082024_FedEX Arrival - AWB# 102235506763.zip

  • Size

    482KB

  • Sample

    240813-t9h61szbqr

  • MD5

    4c99b8ce95a67b1c82d4488c266da906

  • SHA1

    84d9d089e66b3802a472be09e3222f721cf7ac93

  • SHA256

    6ae4cd7a6499338fc9b4c156be801ca893c6f94a5212b5de0fcc9c5e8a8c251e

  • SHA512

    bf3b1d03b338a5939a1e34dbf651b8621a236bdaa00943b388b2ab2041782068cf94654c0f9813c4dac94b3e4500eb6d57566912d66767b1dac5abee898433f0

  • SSDEEP

    12288:CtVJjy5DBlaAThVjXcDmsArbAAYW7BEgaSP5qyg73H:C5j02APoqssbAAnBkyYH

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9R4HLX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FedEX Arrival - AWB# 102235506763.exe

    • Size

      500KB

    • MD5

      591e37c2118d8137bca5bc35a8c0a986

    • SHA1

      dd752209e4f9a1a18a09dce2f90efc2a74b66ae0

    • SHA256

      16e1fc1631183e97739837a4d7fb915d77eedec6784b66402ca3c20138080b78

    • SHA512

      b0d29c79271dac601e4ecdd5613d3a8e263214ca5b4c77222482f39f45f5bf8ade0b6abb6f05076e5965d29df9446c0456265284122e887dbd2fa55f4bc6c727

    • SSDEEP

      12288:iYLJjm5DBJMATlVjXqDMsArPAA0WvBQgamTvaygr+T:iYNjIEADeIssPAATdoyVT

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      68b287f4067ba013e34a1339afdb1ea8

    • SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    • SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    • SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • SSDEEP

      48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.