Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-12-05...ys.exe

windows7-x64

10

2024-12-05...ys.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2024, 14:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe

  • Size

    7.7MB

  • MD5

    493a5c9a1469cef994d69f1dd102e0da

  • SHA1

    d05de864d273343c4204e9608330a1867a24fa95

  • SHA256

    b6bcdbd5822720d72a949b018443c758725389d96cffb16a146830c567c302d2

  • SHA512

    34fc3dfd16322318e1c48a2ee0446a14005ff2cefe156844e2a868a907c3d7bf8791496d04928146365af646113cadf0f7bbe31c5c0501dd1e97a90310e7fa96

  • SSDEEP

    98304:w3x3FJ58yNYqDP06ZKkcCOQhrgMSVV+uKIqKpFfAlGhrQ:w31H5nqIKCD9uKIqK73B

Score
10/10
remcosdicdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

DIC

C2

5.34.178.128:8090

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    smartscreen.dat

  • keylog_flag

    false

  • keylog_folder

    RuntimeBroker

  • mouse_option

    false

  • mutex

    215154tgrvrt-TXLNA3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4380

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    geoplugin.net
    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Thu, 05 Dec 2024 14:54:47 GMT
    server: Apache
    content-length: 956
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • flag-us
    DNS
    128.178.34.5.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    128.178.34.5.in-addr.arpa
    IN PTR
    Response
    128.178.34.5.in-addr.arpa
    IN PTR
    toshiba183com
  • flag-us
    DNS
    50.33.237.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.33.237.178.in-addr.arpa
    IN PTR
    Response
    50.33.237.178.in-addr.arpa
    IN CNAME
    50.32/27.178.237.178.in-addr.arpa
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    92.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    92.12.20.2.in-addr.arpa
    IN PTR
    Response
    92.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-92deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 5.34.178.128:8090
    tls
    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    3.6kB
     1.5kB
     13
    15
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    623 B
     1.3kB
     12
    3

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    geoplugin.net
    dns
    2024-12-05_493a5c9a1469cef994d69f1dd102e0da_avoslocker_luca-stealer_rhadamanthys.exe
    59 B
     75 B
     1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

  • 8.8.8.8:53
    128.178.34.5.in-addr.arpa
    dns
    71 B
     99 B
     1
    1

    DNS Request

    128.178.34.5.in-addr.arpa

  • 8.8.8.8:53
    50.33.237.178.in-addr.arpa
    dns
    72 B
     155 B
     1
    1

    DNS Request

    50.33.237.178.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
     160 B
     1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    92.12.20.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    92.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\RuntimeBroker\smartscreen.dat
    Filesize

    144B

    MD5

    1a193997b5a4947089b3349ca7856d38

    SHA1

    1fd5fa14355df78944becad38057ab479c03a4d9

    SHA256

    7e1c1f8c60247609a9ea622b275dcd7de3b0e6ff23abacc12ebc4631ec9d4176

    SHA512

    b1e4893e3399cc4c1461fdee6f51b75c8c4c636a207638a1a2ca9f98c105dcbad40937376462cc437e8b89cb5af202e7327fe56db701dc22e95357e854b7e411

    Download Submit

  • memory/772-0-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-2-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-8-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-3-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-7-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-24-0x00000000004DA000-0x00000000004F3000-memory.dmp

    Filesize

    100KB

    Download

  • memory/772-5-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/772-1-0x00000000004DA000-0x00000000004F3000-memory.dmp

    Filesize

    100KB

    Download

  • memory/4380-45-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-9-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-10-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-11-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-14-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-18-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-17-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-21-0x0000000000400000-0x0000000000BB1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4380-15-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-6-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-29-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-30-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-37-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-16-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-46-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-53-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

  • memory/4380-54-0x0000000000BC0000-0x0000000000C3F000-memory.dmp

    Filesize

    508KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.