Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    13082024_1645_13082024_FedEX Arrival - AWB# 102235506763.zip

  • Size

    482KB

  • Sample

    240813-t9h61szbqr

  • MD5

    4c99b8ce95a67b1c82d4488c266da906

  • SHA1

    84d9d089e66b3802a472be09e3222f721cf7ac93

  • SHA256

    6ae4cd7a6499338fc9b4c156be801ca893c6f94a5212b5de0fcc9c5e8a8c251e

  • SHA512

    bf3b1d03b338a5939a1e34dbf651b8621a236bdaa00943b388b2ab2041782068cf94654c0f9813c4dac94b3e4500eb6d57566912d66767b1dac5abee898433f0

  • SSDEEP

    12288:CtVJjy5DBlaAThVjXcDmsArbAAYW7BEgaSP5qyg73H:C5j02APoqssbAAnBkyYH

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9R4HLX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FedEX Arrival - AWB# 102235506763.exe

    • Size

      500KB

    • MD5

      591e37c2118d8137bca5bc35a8c0a986

    • SHA1

      dd752209e4f9a1a18a09dce2f90efc2a74b66ae0

    • SHA256

      16e1fc1631183e97739837a4d7fb915d77eedec6784b66402ca3c20138080b78

    • SHA512

      b0d29c79271dac601e4ecdd5613d3a8e263214ca5b4c77222482f39f45f5bf8ade0b6abb6f05076e5965d29df9446c0456265284122e887dbd2fa55f4bc6c727

    • SSDEEP

      12288:iYLJjm5DBJMATlVjXqDMsArPAA0WvBQgamTvaygr+T:iYNjIEADeIssPAATdoyVT

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      68b287f4067ba013e34a1339afdb1ea8

    • SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

    • SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

    • SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

    • SSDEEP

      48:S46+/nTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mFofjLl:zFuPbOBtWZBV8jAWiAJCdv2Cm0L

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      cff85c549d536f651d4fb8387f1976f2

    • SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

    • SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

    • SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

    • SSDEEP

      192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks