Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

9e19fd2499...86.exe

windows7-x64

7

9e19fd2499...86.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

3

NSIS.exe

windows10-2004-x64

10

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

3

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$R0/Uninst...IS.exe

windows7-x64

7

$R0/Uninst...IS.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9e19fd2499e9ffb9ca4eab08d9054a86.exe

  • Size

    80.4MB

  • Sample

    241206-t2hwaawqgt

  • MD5

    9e19fd2499e9ffb9ca4eab08d9054a86

  • SHA1

    198946086afa2544e8f86463f15fa321aa45f7e0

  • SHA256

    7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732

  • SHA512

    e4e9cefb633a191f9e562a1fcf4176121b31f69f1d528a3505f381584c5d6c9100982de28684307cfabac7461a173dfd6a12d5d685dffb449d60cba209053d4e

  • SSDEEP

    1572864:Vl2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixRR:VJ0bthlXOh01VJY+qw0ui3R

Score
10/10
remcosremotehostdiscoveryexecutionransomwarerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.42.12.39:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    jesusapt

  • mouse_option

    false

  • mutex

    JESUSAPT-7R4T5W

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      9e19fd2499e9ffb9ca4eab08d9054a86.exe

    • Size

      80.4MB

    • MD5

      9e19fd2499e9ffb9ca4eab08d9054a86

    • SHA1

      198946086afa2544e8f86463f15fa321aa45f7e0

    • SHA256

      7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732

    • SHA512

      e4e9cefb633a191f9e562a1fcf4176121b31f69f1d528a3505f381584c5d6c9100982de28684307cfabac7461a173dfd6a12d5d685dffb449d60cba209053d4e

    • SSDEEP

      1572864:Vl2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixRR:VJ0bthlXOh01VJY+qw0ui3R

    Score
    10/10
    discoveryremcosremotehostexecutionransomwarerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/SpiderBanner.dll

    • Size

      9KB

    • MD5

      17309e33b596ba3a5693b4d3e85cf8d7

    • SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

    • SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    • SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    • SSDEEP

      192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      LICENSES.chromium.html

    • Size

      8.7MB

    • MD5

      6ff57c0aeccdf44c39c95dee9ecea805

    • SHA1

      c76669a1354067a1c3ddbc032e66c323286a8d43

    • SHA256

      0ba4c7b781e9f149195a23d3be0f704945f858a581871a9fedd353f12ce839ca

    • SHA512

      d6108e1d1d52aa3199ff051c7b951025dbf51c5cb18e8920304116dcef567367ed682245900fda3ad354c5d50aa5a3c4e6872570a839a3a55d3a9b7579bdfa24

    • SSDEEP

      24576:2o9dQ06p6j6j1WOwRiXjYmfy6k6mjK64jK6gjK6e6cjK6feGjl8PpE:BFOeGT

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      NSIS.exe

    • Size

      180.1MB

    • MD5

      bd4906b9305afec35a88a3387bcb9fac

    • SHA1

      1d32e6f1c6ba770c3b2625d0241be0f2d4581b5d

    • SHA256

      a674229c90366a8300ad63c8ae675c2bc1c12307bccb00ae818dfa67c1955bf5

    • SHA512

      40966c176eaf9e025597599cb99532b3c36c3e72bcf991b95a450eb26f663b61a79933d741cce807e18c198239e3c49973189e9eb2cdbaf4b29115a6c25ff09a

    • SSDEEP

      1572864:1wl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:rF4oD0QdG09P

    Score
    10/10
    remcosremotehostdiscoveryexecutionransomwarerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      a7b7470c347f84365ffe1b2072b4f95c

    • SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

    • SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    • SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • SSDEEP

      49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc

    Score
    1/10
    behavioral12

    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      5a168cb3ea9d0e7400baabf60f6ab933

    • SHA1

      82a86cb7f42294ab4ad6669c19b92605d960b676

    • SHA256

      af5f1bc9f6a73750fa0c7bf17439700cfb3ab23e1393f0c9899825417e319b54

    • SHA512

      7c1441ecd049543e38297a7b6929e9f3eb978422d0ce508fbe6350ffebd297f947b8d9ec75bd2054142dcd8461eef1bf110e040d0830da977fde8944bece843d

    • SSDEEP

      49152:ZBAnytEwrZu/3Q8rvnh2UGH6qfhtvRIdefZiC6Cry2:ZBFE6kfbrvnh21K+io

    Score
    1/10
    behavioral13

    • Target

      libEGL.dll

    • Size

      481KB

    • MD5

      39ccf402a62f068a8c573b45ea96154d

    • SHA1

      57ceb915ea6f88c7fcca35339bf951659c0338ab

    • SHA256

      8649d77ace8e5753b9a10e7ae3349aafa9d8e3406ba9c8c36a59633a84b3c41b

    • SHA512

      c4f9225c54d413176cb3dd2b26d429493fd056c7c283bc7a1c52b4a2059dbb11380daf5d847be1ff29f058ba0ef44d4bf66a3d9e9a600000dc8f6d20dfb2ed03

    • SSDEEP

      6144:0PfRujpqWG9btH+M1wLPfj9iDcHetGsHUN0dxI2H6sNkD4Fvh2W:eAWt+MWLPfjkVGbN0dxI2H63D4Bh2

    Score
    1/10
    behavioral14

    • Target

      libGLESv2.dll

    • Size

      8.0MB

    • MD5

      f055a130c79bd517bdb53b1f8a38bd3b

    • SHA1

      9fba0ad4ba973bb285b23cc125004baf61a98b5a

    • SHA256

      45b53759392b81ce7d916b3f1cf02be30289809bd31d09fc1524ef2609183b17

    • SHA512

      d9dcb217f268862c577cacf4e9f84c63e02b647113d484338a74eb0b24fadd6d87b4e7a551dd1ef692bb38e44562bff848982acb62840d4f49f91a7751320e34

    • SSDEEP

      98304:Q7XpFwEPVsR+1HYJnahAB4tVsX43wYMg:QXVrAtsw

    Score
    1/10
    behavioral15

    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    3/10
    discovery
    behavioral16behavioral17

    • Target

      vk_swiftshader.dll

    • Size

      5.3MB

    • MD5

      6720d5dcda6737eb0cc5a352a47414dc

    • SHA1

      03d9a8e350f485dd955f7dee06bfc46371753032

    • SHA256

      d8f36b089d83157abc271d9fe125919c3237943fa9789a511ac5ef1d41e2e3af

    • SHA512

      de5ade6ce14b14957fce669c4181af1e6a6f540798d1c6720b56ff281f813a6ce4446bde33a8f175d2484e07f4911f93a773cac1d372cbe3b26be634b3fa1686

    • SSDEEP

      49152:zBVtMrKyOsxYYAKDsJS86IxORjgUlC3K/FAz4gdm6o4oX7uh5LC6MW4LY67h772c:jWKyOEnOnoLrWbfDiN9isC

    Score
    1/10
    behavioral18

    • Target

      vulkan-1.dll

    • Size

      874KB

    • MD5

      b6d3af84e8be0027741aa6077768789e

    • SHA1

      e525f2434dc56f79644695f5841e91dd5f80eec4

    • SHA256

      376ff6892ec7b406acd8c455ac82f8541e59e3757195488ff04cd9f20d554562

    • SHA512

      f03b8792a740679c8a1a8ce0615b7876cc811130085f3ffb42182e0cb846519603804da97fc93a8abebee01e03fd257df289c54575da8faaad018f4f4bae606a

    • SSDEEP

      24576:FhJnfYUcguY3cTAL6Z5WjDYsHy6g3P0zAk7TNb:FhVrXN3oAL6Z5WjDYsHy6g3P0zAk7T

    Score
    1/10
    behavioral19

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ec0504e6b8a11d5aad43b296beeb84b2

    • SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

    • SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

    • SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

    • SSDEEP

      96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr

    Score
    3/10
    discovery
    behavioral20behavioral21

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    discovery
    behavioral22behavioral23

    • Target

      $R0/Uninstall NSIS.exe

    • Size

      296KB

    • MD5

      9a606f191ba036a232b5d09aead537c4

    • SHA1

      f4bded6b73c3cb67e20cc2480c681bd67e03d29a

    • SHA256

      0898c038d2c97ec8646ab4cfd783d7c46e2ec2774375065b5c75bf3d702517fb

    • SHA512

      ed1d039b7e8a0b76872caa1edc52ffe9dcb0c697e2e249a7c52072c1dd626e48ba5fd3c16c2156af145729f2dd39836c12678e76bd78623ecba5a8982451a1b6

    • SSDEEP

      3072:Nn77v00hEoDEtauPnig6AbTXFif6lxCHaH2tvhOEA1RJCir86SrSrv6Ia3W:N740I/ig9XFifyes2t0EyL+yaG

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery
    behavioral24behavioral25

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    discovery
    behavioral26behavioral27

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    discovery
    behavioral28behavioral29

    • Target

      $PLUGINSDIR/WinShell.dll

    • Size

      3KB

    • MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

    • SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

    • SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    • SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Score
    3/10
    discovery
    behavioral30behavioral31

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ec0504e6b8a11d5aad43b296beeb84b2

    • SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

    • SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

    • SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

    • SSDEEP

      96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr

    Score
    3/10
    discovery
    behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discovery
Score
7/10

behavioral2

remcosremotehostdiscoveryexecutionransomwarerat
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

remcosremotehostdiscoveryexecutionransomwarerat
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
7/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.