Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bc7c2b5cec...65.exe

windows7-x64

10

bc7c2b5cec...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    177s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 14:23 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe

  • Size

    3.7MB

  • MD5

    bc7c2b5cecb62ddda8ab33eaaa7abf65

  • SHA1

    e8ea016e57a0e87b90f8afbce0eee6bc1afd8bfb

  • SHA256

    0e875809afec874bbbdd8395efac33c3e57bd86a66ae4097c87b35656b64804c

  • SHA512

    6a57c650fad469b71f81fa488a555919f7dccfe45b501b0930285a36dc4e705faa710bf6a0c27828ec720494c89baa8d7d95fc6e752f6221f7a32bf1abcfa112

  • SSDEEP

    49152:DC8nc/DY7yJiS/t8Tk6SRdkpvRFpybpxNYPMI3+bEmnT:DCv/lRRd8FpybHaEIy

Score
10/10
remcosxoaoamortdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

XOAOAMORT

C2

carroosmfjdjs.con-ip.com:1661

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BTGK97

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    "C:\Users\Admin\AppData\Local\Temp\bc7c2b5cecb62ddda8ab33eaaa7abf65.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
      "C:\Users\Admin\AppData\Local\Temp\bc7c2b5cecb62ddda8ab33eaaa7abf65.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1988

Network

  • flag-us
    DNS
    carroosmfjdjs.con-ip.com
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    Remote address:
    8.8.8.8:53
    Request
    carroosmfjdjs.con-ip.com
    IN A
    Response
    carroosmfjdjs.con-ip.com
    IN A
    181.131.216.100
  • flag-us
    DNS
    geoplugin.net
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Thu, 03 Oct 2024 14:23:26 GMT
    server: Apache
    content-length: 955
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • 181.131.216.100:1661
    carroosmfjdjs.con-ip.com
    tls
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    3.7kB
     1.7kB
     16
    18
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    669 B
     2.5kB
     13
    4

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    carroosmfjdjs.con-ip.com
    dns
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    70 B
     86 B
     1
    1

    DNS Request

    carroosmfjdjs.con-ip.com

    DNS Response

    181.131.216.100

  • 8.8.8.8:53
    geoplugin.net
    dns
    bc7c2b5cecb62ddda8ab33eaaa7abf65.exe
    59 B
     75 B
     1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    9eb56240582279345a0789ef9129ebc6

    SHA1

    07521c2a58b7d1c6a0f37a18796f42a679adac42

    SHA256

    16ad903d4dd2dc8cb210be2c3742ae2500a043231c3662126d9322ea0dbfaabe

    SHA512

    7d2aee8c19427dab1305091f0a4ba2acb077a02778f0cd1c358f44bbc2ad33996ff3ae98ba6af90bd57753149834e2f4c31f8ec9da5db9e9986b4af7885f4810

    Download Submit

  • memory/1988-21-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1988-54-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-8-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-70-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-12-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1988-69-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-62-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-61-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-24-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-18-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-53-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-22-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-45-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-37-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-16-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-38-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-27-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-28-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1988-29-0x00000000001B0000-0x0000000000232000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2432-2-0x0000000000507000-0x0000000000520000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2432-1-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-26-0x0000000000507000-0x0000000000520000-memory.dmp

    Filesize

    100KB

    Download

  • memory/2432-0-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-23-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-5-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-4-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-6-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-7-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2432-14-0x0000000000400000-0x00000000009BC000-memory.dmp

    Filesize

    5.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.