Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Backdoor.exe

windows7-x64

10

Backdoor.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Backdoor.bat

  • Size

    36KB

  • Sample

    240929-yfn8ds1eqf

  • MD5

    70aadafbc88f381a60171fb21ae4e5ba

  • SHA1

    e7cfd181af802976134b23177087ba5dcd518a64

  • SHA256

    13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

  • SHA512

    19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1

  • SSDEEP

    768:yNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgz/b7Dsr1:Unwu4DejVLyOhgz/Yr

Score
10/10
remcoshostdiscoveryevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

top-max.gl.at.ply.gg:65091

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    winka.exe

  • copy_folder

    winled

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    methfsaf

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_wexxmpxcql

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Backdoor.bat

    • Size

      36KB

    • MD5

      70aadafbc88f381a60171fb21ae4e5ba

    • SHA1

      e7cfd181af802976134b23177087ba5dcd518a64

    • SHA256

      13641bd80132964e830b3961ccf6300358bfab5149aad32571998a98e2413db1

    • SHA512

      19379c0379c5d186514be3faf5839315473d74abe2366f1067fef31fe82300b5f8cf507a58a6e70851e0cb5b76ba4713919ae626232806c953d40a1181146fa1

    • SSDEEP

      768:yNnmZ/8vPlLUdhfJ8v6utFpVsuRregrWChgz/b7Dsr1:Unwu4DejVLyOhgz/Yr

    Score
    10/10
    remcoshostdiscoveryevasionpersistencerattrojan

    • Modifies WinLogon for persistence

      persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Modifies WinLogon

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.