Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Backdoor.bat

  • Size

    36KB

  • Sample

    240929-yfn8ds1eqf

  • MD5

    70aadafbc88f381a60171fb21ae4e5ba

  • SHA1

    e7cfd181af802976134b23177087ba5dcd518a64

  • SHA256

    13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

  • SHA512

    19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1

  • SSDEEP

    768:yNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgz/b7Dsr1:Unwu4DejVLyOhgz/Yr

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

top-max.gl.at.ply.gg:65091

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    winka.exe

  • copy_folder

    winled

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    methfsaf

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_wexxmpxcql

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Backdoor.bat

    • Size

      36KB

    • MD5

      70aadafbc88f381a60171fb21ae4e5ba

    • SHA1

      e7cfd181af802976134b23177087ba5dcd518a64

    • SHA256

      13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

    • SHA512

      19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1

    • SSDEEP

      768:yNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgz/b7Dsr1:Unwu4DejVLyOhgz/Yr

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • UAC bypass

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Modifies WinLogon

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.