Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d0b9e457b2d16d654f95b599d86da4c0N.exe

  • Size

    1.5MB

  • Sample

    240818-djw27avdlk

  • MD5

    d0b9e457b2d16d654f95b599d86da4c0

  • SHA1

    84b6f6e4f1d9e859ac733e37051f3f6c7e276c76

  • SHA256

    ea15b09762985bc16b997558583acb28d9fd9e86eb95b2df204956211ec541d7

  • SHA512

    2c08ee289fab2d9cd1e0e42202f6f80ba347d70a7bcd4c05578daacc22526dc201cfa554c8410337f1d83fb7c820d7ef7331038b2bbcd34345857f3415fe7971

  • SSDEEP

    24576:ED39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjouO:Ep7E+QrFUBgq2e

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d0b9e457b2d16d654f95b599d86da4c0N.exe

    • Size

      1.5MB

    • MD5

      d0b9e457b2d16d654f95b599d86da4c0

    • SHA1

      84b6f6e4f1d9e859ac733e37051f3f6c7e276c76

    • SHA256

      ea15b09762985bc16b997558583acb28d9fd9e86eb95b2df204956211ec541d7

    • SHA512

      2c08ee289fab2d9cd1e0e42202f6f80ba347d70a7bcd4c05578daacc22526dc201cfa554c8410337f1d83fb7c820d7ef7331038b2bbcd34345857f3415fe7971

    • SSDEEP

      24576:ED39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjouO:Ep7E+QrFUBgq2e

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks