Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34.exe

  • Size

    931KB

  • Sample

    240905-b8kdks1bpl

  • MD5

    c8b97aad582adb6ccddc6f3e74bda215

  • SHA1

    bbf2e45bd5af0695f5f82fed5728a480a7fd4c04

  • SHA256

    d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34

  • SHA512

    7ede8146da39ea716cd6c64f3a60ca324566c3000cb5c1275f5f1563cca726ec8b97420c7e4620f4fe998f8542896bb99294cef83a7e8bfae2e1e46fb4bbc100

  • SSDEEP

    24576:9elw4o5E6Gkf1CGkuH2sz6rtlHa08qsCJAUke0O:9elw4o5E+C1ttl605X3ko

Malware Config

Extracted

Family

remcos

Botnet

Sept. 04C

C2

154.216.20.211:6902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-YGC9WY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34.exe

    • Size

      931KB

    • MD5

      c8b97aad582adb6ccddc6f3e74bda215

    • SHA1

      bbf2e45bd5af0695f5f82fed5728a480a7fd4c04

    • SHA256

      d26670d5f425962b546d10ecd4d148f5884a3f392afe1c5fb4426466d4454c34

    • SHA512

      7ede8146da39ea716cd6c64f3a60ca324566c3000cb5c1275f5f1563cca726ec8b97420c7e4620f4fe998f8542896bb99294cef83a7e8bfae2e1e46fb4bbc100

    • SSDEEP

      24576:9elw4o5E6Gkf1CGkuH2sz6rtlHa08qsCJAUke0O:9elw4o5E+C1ttl605X3ko

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.