Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Virus.Danger.ATA_virussign.com_b050247ddb99e9969eabeba8b76eb491.exe

  • Size

    1.2MB

  • Sample

    240907-p1ltbswgnh

  • MD5

    b050247ddb99e9969eabeba8b76eb491

  • SHA1

    f899f777ee2827f7dc997dba67681936835acb3d

  • SHA256

    52f0c3471e31cea46fd5776acf896e557c3da55dc8966349b3939c51e3b6b82d

  • SHA512

    a909645475030ddf5f07853a7d6315dce996738d662539757c3fbe4e19c4c153e120e8add7ae6ff1532e6e56160c7acd1b13d63eba5e65a1943d5954211d438e

  • SSDEEP

    24576:xtb20pkaCqT5TBWgNQ7ay2js14tXE/D1Si5EGjN6A:CVg5tQ7ay2j9ED+GB5

Malware Config

Extracted

Family

remcos

Botnet

edbra

C2

185.150.191.117:4609

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5BA7PB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Virus.Danger.ATA_virussign.com_b050247ddb99e9969eabeba8b76eb491.exe

    • Size

      1.2MB

    • MD5

      b050247ddb99e9969eabeba8b76eb491

    • SHA1

      f899f777ee2827f7dc997dba67681936835acb3d

    • SHA256

      52f0c3471e31cea46fd5776acf896e557c3da55dc8966349b3939c51e3b6b82d

    • SHA512

      a909645475030ddf5f07853a7d6315dce996738d662539757c3fbe4e19c4c153e120e8add7ae6ff1532e6e56160c7acd1b13d63eba5e65a1943d5954211d438e

    • SSDEEP

      24576:xtb20pkaCqT5TBWgNQ7ay2js14tXE/D1Si5EGjN6A:CVg5tQ7ay2j9ED+GB5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks