Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
31agosto.vbs
-
Size
12.8MB
-
Sample
241003-3kzl5ssfmp
-
MD5
d4b7c95e0f73138f48eaac89cbd5f0c9
-
SHA1
e04d20ddae09884f310cab78156fc1056b80ef85
-
SHA256
2d5345e9eb24e2c81697257c9aad3b5881b89220d0e7f7839a03922c67b8f48a
-
SHA512
0be7ee792cb12538fb068969be746aad9be3f762aeb42c665180da82add8937a9c3f86c203e98c89357b9dbe58a607c4ab7aaaabe15fc1c916b0e09c43a10180
-
SSDEEP
96:m6G7MF5ds/Q8u5QiOF09ALs9cDIj4MxayJH9gzdp6:9fnbf9Gs9cDIjlx5JH9mp6
Static task
static1
Behavioral task
behavioral1
Sample
31agosto.vbs
Resource
win10v2004-20240802-en
Malware Config
Extracted
http://pastebin.com/raw/V9y5Q5vv
Extracted
remcos
RemoteHost
sost2024ene.duckdns.org:1213
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0AGASP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
31agosto.vbs
-
Size
12.8MB
-
MD5
d4b7c95e0f73138f48eaac89cbd5f0c9
-
SHA1
e04d20ddae09884f310cab78156fc1056b80ef85
-
SHA256
2d5345e9eb24e2c81697257c9aad3b5881b89220d0e7f7839a03922c67b8f48a
-
SHA512
0be7ee792cb12538fb068969be746aad9be3f762aeb42c665180da82add8937a9c3f86c203e98c89357b9dbe58a607c4ab7aaaabe15fc1c916b0e09c43a10180
-
SSDEEP
96:m6G7MF5ds/Q8u5QiOF09ALs9cDIj4MxayJH9gzdp6:9fnbf9Gs9cDIjlx5JH9mp6
Score10/10-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-