#remcos_060924

1. #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #PowerShell #RegAsm
2.  
3. https://pastebin.com/
4.  
5. previous_contact:
6. 02/09/24 https://pastebin.com/j1ZGJxxU
7. 22/08/24 https://pastebin.com/VmpVnz6b
8. 16/08/24 https://pastebin.com/AkHsxz6R
9. 13/08/24 https://pastebin.com/VDVp6hSi
10. 19/01/24 https://pastebin.com/EvXHfZUB
11. 18/01/24 https://pastebin.com/FL2fX362
12.  
13.  
14. FAQ:
15. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
16.  
17. attack_vector
18. --------------
19. email attach .rar > .vbs > wscript > powershell > get bitbucket .jpg & .txt > RegAsm.exe > C2
20.  
21.  
22. # # # # # # # #
23. email_headers
24. # # # # # # # #
25. Date: Fri, 6 Sep 2024 12:37:06 +0200
26. From: Господарський суд Одеської області <tsato @scl _kyoto-u _ac _jp>
27. Subject: Господарський суд Одеської області -позовна заява
28. Reply-To: Господарський суд Одеської області <inbox @od _arbitr _gov _ua>
29. Received: from icrsun _kuicr _kyoto-u _ac _jp (HELO pfdsunb _scl _genome _ad _jp) ([133 _3 _5 _20])
30. Received: from wms _scl _genome _ad _jp (wms _scl _genome _ad _jp [133 _103 _200 _205])
31. Received: from gmail _com (unknown [94 _228 _169 _30])
32. Message-Id: < 20240906104509 _A1F353003F065 @wms _scl _genome _ad _jp >
33.  
34. # # # # # # # #
35. files
36. # # # # # # # #
37. SHA-256 84dab25530ba75d9610b9b7e7f8665ba066679cb1e433d7657f9b0577e37717d
38. File name scan_documet_027839.rar
39. File size 6.78 KB (6938 bytes)
40.  
41. SHA-256 cb6c92921e3bc58250684d6bd5dda9b92d22917f2d5e7b137c9694907309e986
42. File name scan_documet_027839.vbs
43. File size 14.46 KB (14810 bytes)
44.  
45. SHA-256 700a9a6eb11bbae7ef16e727c44913861a12510c5a4b8450ce6c33f616cf1df5
46. File name img_test.jpg
47. File size 757.03 KB (775197 bytes)
48.  
49. SHA-256 02be347bd34ba0a7ad2c5e50d1f74e88e0222eaa96ae3255c2eaa7e162c48d88
50. File name img_test_2.jpg
51. File size 2.46 MB (2578503 bytes)
52.  
53. SHA-256 03fc22f699ba6ce9fa37f68c96fc35b6b6f8bdc7c55944977653fe2de6e1adad
54. File name one.txt
55. File size 683.92 KB (700332 bytes)
56.  
57. # # # # # # # #
58. activity
59. # # # # # # # #
60.  
61. PL_SCR bitbucket .org/ sharedua/ ua/ downloads/ scan_documet_027839.rar [decoy]
62. bitbucket .org/ shieldadas/ gsdghjj/ downloads/ img_test.jpg?1181173 [loader]
63. raw .githubusercontent .com/ santomalo/ audit/ main/ img_test.jpg?14441723 [loader]
64. bitbucket .org/ sdgw/ sdge/ downloads/ one.txt [payload]
65.  
66. C2 111_ 90 _147 _146
67.  
68.  
69. netwrk
70. --------------
71. 185_166 _143 _48 bitbucket .org 443 TLSv1.2 Client Hello
72. 54 _231 _138 _113 bbuseruploads .s3 .amazonaws .com 443 TLSv1.2 Client Hello
73. 111_ 90 _147 _146 2404 TCP 50770 → 2404 [SYN]
74. 178 _237 _33 _50 geoplugin .net 80 HTTP GET /json .gp HTTP/1.1
75.  
76. comp
77. --------------
78. powershell.exe 185_166 _143 _48
79. powershell.exe 54 _231 _138 _113
80. RegAsm.exe 111_ 90 _147 _146
81. RegAsm.exe 178 _237 _33 _50
82.  
83. proc
84. --------------
85. "C:\Windows\System32\WScript.exe" "C:\Users\User01\Desktop\scan_documet_027839.vbs"
86. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = . . .
87. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
88. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\qowqdmaqzvnnqivjzuponmbakptr"
89. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\aijaeelrnefaswrnieciqrwrtdlsoqh"
90. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\aijaeelrnefaswrnieciqrwrtdlsoqh"
91. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\dkot"
92. "C:\Windows\System32\WScript.exe" "C:\Users\User01\AppData\Local\Temp\kvrhhlvbnsrhcjapt.vbs"
93.  
94. persist
95. --------------
96. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Fri Sep 6 15:43:28 2024
97. My Program Windows PowerShell (Verified) Microsoft Windows C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe Mon Dec 4 08:21:56 2023
98. powershell.exe Invoke-Expression 'C:\Users\User01\AppData\Local\Temp\svchost.vbs'
99.  
100. drop
101. --------------
102. %temp%\svchost.vbs
103. %temp%\kvrhhlvbnsrhcjapt.vbs
104. C:\ProgramData\remcos\logs.dat
105.  
106. # # # # # # # #
107. additional info
108. # # # # # # # #
109. botnet one_host
110. mutex hdeshtrhj-38D4FR
111.  
112. # # # # # # # #
113. VT & Intezer
114. # # # # # # # #
115. https://www.virustotal.com/gui/file/84dab25530ba75d9610b9b7e7f8665ba066679cb1e433d7657f9b0577e37717d/details
116. https://www.virustotal.com/gui/file/cb6c92921e3bc58250684d6bd5dda9b92d22917f2d5e7b137c9694907309e986/details
117. https://www.virustotal.com/gui/file/700a9a6eb11bbae7ef16e727c44913861a12510c5a4b8450ce6c33f616cf1df5/details
118. https://www.virustotal.com/gui/file/02be347bd34ba0a7ad2c5e50d1f74e88e0222eaa96ae3255c2eaa7e162c48d88/details
119. https://www.virustotal.com/gui/file/03fc22f699ba6ce9fa37f68c96fc35b6b6f8bdc7c55944977653fe2de6e1adad/details
120.  
121. VR