Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    465c444d20b3e265e924360ced45ea8e6e8ef2cdf46ed4d7ae71ed9e1e4e10ca

  • Size

    352KB

  • Sample

    240818-fx9ljszgjk

  • MD5

    e75439b20cab586a15874a864706f328

  • SHA1

    8e9382773296854a253f9c7840d5b3d54d2f041b

  • SHA256

    465c444d20b3e265e924360ced45ea8e6e8ef2cdf46ed4d7ae71ed9e1e4e10ca

  • SHA512

    9eaf218719e734a5c76393861de269f7ad114aa1f3f803308c85086c85992b5df461e1e6b05e187ca6cd7ea4c7f3361efd1b1803a196914054c8eb32164b6818

  • SSDEEP

    6144:2qlonWp9KdXv6gvNSS8aVr0nbUlUq1IJ8JaDlpiBpe7QRfH91w42/TARn:LonNigvona10Jq1vQZQ73z2/0Rn

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9R4HLX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d.exe

    • Size

      519KB

    • MD5

      aaf009498fd654fe098a30d1ec1d3120

    • SHA1

      d6de6ea6d8deb0b700cda51e8f366d3a333ffa29

    • SHA256

      1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d

    • SHA512

      6c601a13522500196ac58dc3b75ead4b438ddc149a4e1513a0657ea69be98845428f0bd76285218053532bfb59f702e091310dc92e00d9af1a7def2416581460

    • SSDEEP

      6144:+xwgiJ4h+W4PQgPniiWn14owKYHvYLPG7nIsJmwu1WGFKPVMmNK1ftxU3WaN5rfx:cS4QZyn14rBHcgpJmwuAN7Cfn2v5P

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      5KB

    • MD5

      af4324802813a5a897db2167fc10e291

    • SHA1

      916bd47457dcb4247743626e86492436b77bebf8

    • SHA256

      92cb3b3a7280246743543325d3fe9a7d72c63227f9540d25d5ef27b2ce8856b4

    • SHA512

      cb3e07c4558049634078808bd419860c6e2855a02bba79541cea80873fe6db58cf667a27c111521df09ef30f92c149736092c473fde28bbb5974be6d7ddab83c

    • SSDEEP

      48:qcjtDVP10LgQL8QRU8IlmWm7WmnuWK8hSemoMqG5QEv8sF9UwofMU:xVPFQIqlemWm7WmTaehG+Ekq

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      6c38da8922cc37b4bbb77de4a63ad843

    • SHA1

      4e0533fd11df8bddbd543ed58df7b6060d9f4631

    • SHA256

      1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1

    • SHA512

      ad0be3d7e57da9c304e9b9cac5341b6c76b157456ab44f5579d6c38c830a31c9c3e1e9a875b8f465243c607ea2ede6b0bb77237f17a70a4d4c78606e036c3430

    • SSDEEP

      192:wA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:QR7SrtTv53tdtTgwF4SQbGPX36g9Mw

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks