Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b12eacb58fdec15ef47381a179ad8436714dad9fb0ada9149cb0dd16a30335a7

  • Size

    491KB

  • Sample

    240919-md19dstbmg

  • MD5

    da23e973ef10bb95acff5b0bbaddbc24

  • SHA1

    6be9ea61083341a2e1a3b818ebd833ab2b57789a

  • SHA256

    b12eacb58fdec15ef47381a179ad8436714dad9fb0ada9149cb0dd16a30335a7

  • SHA512

    f6c58ea3dae2092a561a180ec7a6db9a52b60861caa1310527f7af5c07d1c393067f38130a37149258436d32ca55aa71b0d92a3b0be1112fa27bca289bc1dd8b

  • SSDEEP

    12288:J0uOObshb0QuSuHz/2Gm5G4h+hW4ufPViQ2Is7:JN/Al0QLuT/rm5GGubuViZIs

Malware Config

Extracted

Family

remcos

Botnet

Ember Luck

C2

ogcmaw.duckdns.org:2404

emberluck.duckdns.org:2500

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-SKG82E

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ Engine & Piston overhaul,Doc.exe

    • Size

      1.1MB

    • MD5

      cb29d8a4b611a3b84ccf7c597d2a1c6e

    • SHA1

      b0b066b3c6efe68a3a591e9d10f665b9d22cdf9f

    • SHA256

      1ea1b7efa0e1f28a2c64bbe8db6629a1171041624c65f7a6293b8ea4563c4c4e

    • SHA512

      8ae6434e0fc40e060ba3fa1b6968860043883679710d4a25b9925287c0a7c52cfce121b143d2fc10ce4bb9382d979da7f90900924d42008227a08395b3985173

    • SSDEEP

      24576:jkcL46wGlmCQ4dviCbWBFREfuFlFnP06vtSRDZZdI39v5SPfWxtPtnwpZz2MXMGq:jQnrCxf2dsjrMSehaaVt

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.