#remcos_160824

#IOC #OptiData #VR #remcos #RAT #AutoIt #PWD

https://pastebin.com/AkHsxz6R

previous_contact:
13/08/24    https://pastebin.com/VDVp6hSi
19/01/24    https://pastebin.com/EvXHfZUB
18/01/24    https://pastebin.com/FL2fX362
25/12/23    https://pastebin.com/D535PVm3
21/12/23    https://pastebin.com/samYnJq6
30/11/23    https://pastebin.com/aG6XyqHN
13/11/23    https://pastebin.com/tbRpiGG5
06/02/23    https://pastebin.com/kjv5E8Au

FAQ:
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

attack_vector
--------------
email attach or bitbucket .org /privatbank /obmen /downloads > .7z > .rar (multi) > .rar (pwd) > .exe > .cmd > .pif > C2

# # # # # # # #
email_headers
# # # # # # # #
Date: Fri, 16 Aug 2024 13:08:42 +0300
From: Беляев Вольдемар Альвианович <finmons@ privatbank _ua>
Subject: Запит інформації № 0638543 вiд: 16.08.2024
Reply-To: "public@ cip _gov _ua" <public@ cip _gov _ua>
Received: from linux -hosting66 _rdsweb _ro ([84 _232 _181 _66])
Received: from [193 _33 _153 _89] (port=59597 helo=193 _33 _153 _89)

# # # # # # # #
files
# # # # # # # #
SHA-256		    c71463ac4fb8dd985b249b61e54888137bea84dab7c202546e230eb450fc0969
File name	    Електронні акт №094584 Приватбанк24.exe
File size	    1.53 MB (1602827 bytes)

SHA-256		    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
File name	    Aids.pif
File size	    872.66 KB (893608 bytes)

# # # # # # # #
activity
# # # # # # # #

PL_SCR          email attach or bitbucket .org /privatbank /obmen /downloads


C2              111 _90 _147 _110

netwrk
--------------
111 _90 _147 _110		                81	TLSv1.3	Client Hello
178 _237 _33 _50	    geoplugin _net	80	HTTP	GET /json.gp HTTP/1.1

comp
--------------
Aids.pif    111 _90 _147 _110    443

proc
--------------
C:\Users\User01\Downloads\files1608\4_Електронні акт №094584 Приватбанк24.exe
	"C:\Windows\System32\cmd.exe" /k move Nearest Nearest.cmd & Nearest.cmd & exit
		C:\Windows\SysWOW64\tasklist.exe
		C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
		C:\Windows\SysWOW64\tasklist.exe
		C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
		C:\Windows\SysWOW64\cmd.exe  /c md 559861
		C:\Windows\SysWOW64\findstr.exe /V "highwaysoptimalrebeccascope" Reliable
		C:\Windows\SysWOW64\cmd.exe /c copy /b ..\Shadow + ..\Finnish + ..\Ambien + ..\Reached + ..\Dana + ..\Worth + ..\Access + ..\Vocals + ..\Clocks + ..\Aluminium + ..\Tries + ..\Calm + ..\Unlike s
		C:\Users\User01\AppData\Local\Temp\559861\Aids.pif
			C:\Users\User01\AppData\Local\Temp\559861\Aids.pif /stext "C:\Users\User01\AppData\Local\Temp\vbfesgbxk"
			C:\Users\User01\AppData\Local\Temp\559861\Aids.pif /stext "C:\Users\User01\AppData\Local\Temp\fdkotymqynfly"
			C:\Users\User01\AppData\Local\Temp\559861\Aids.pif /stext "C:\Users\User01\AppData\Local\Temp\ixphurxsuvxqifwq"
		C:\Windows\SysWOW64\choice.exe  /d y /t 5

persist
--------------
C:\Users\User01\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoGiraffe.url	Sat Aug 17 14:59:25 2024

drop
--------------
C:\Users\User01\AppData\Local\Temp\Calm
C:\Users\User01\AppData\Local\Temp\Clocks
C:\Users\User01\AppData\Local\Temp\Dana
C:\Users\User01\AppData\Local\Temp\Finnish
C:\Users\User01\AppData\Local\Temp\Fix
C:\Users\User01\AppData\Local\Temp\Nearest.cmd
C:\Users\User01\AppData\Local\Temp\Reached
C:\Users\User01\AppData\Local\Temp\Reliable
C:\Users\User01\AppData\Local\Temp\Shadow
C:\Users\User01\AppData\Local\Temp\Tries
C:\Users\User01\AppData\Local\Temp\Unlike
C:\Users\User01\AppData\Local\Temp\Vocals
C:\Users\User01\AppData\Local\Temp\Worth
C:\Users\User01\AppData\Local\Temp\559861\Aids.pif

# # # # # # # #
additional info
# # # # # # # #
n/a

# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/c71463ac4fb8dd985b249b61e54888137bea84dab7c202546e230eb450fc0969/details
https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d/details

VR