Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #RAT #RAR #PWD #Autoit #WSH
- https://pastebin.com/D535PVm3
- previous_contact:
- 21/12/23 https://pastebin.com/samYnJq6
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- 06/02/23 https://pastebin.com/kjv5E8Au
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email > att1 .RAR > (att2 + att3 + att4) .RAR (pwd) > .exe > Trail.pif > 77_105_132_124 + 101_99_75_16 > fingerprint & exfil
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Mon, 25 Dec 2023 06:32:08 +0300
- From: Господарський суд Одеської області <reading@tanisklep.co.uk>
- Subject: Позовна заява номер: 815997 від: 25.12.2023
- Received: from relay-bulk1.stackmail.com ([185_151_28_78])
- Received: from [10_4_13_36] (helo=smtp2.lhr.stackcp.net)
- Received: from [79_137_196_215] (helo=WIN-LCETV91VPS6) (Exim 4.96)
- Reply-To: <inbox@od.arbitr.gov.ua>
- Message-Id: <E1rHbhI-00015t-36@smtp2.lhr.stackcp.net>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 f8467854bd660e06f5cc84add2393f383a0ba392ead7b5259ffe541966f3dec6
- File name Електронна позовна вимога.rar [ RAR archive data, v5 ]
- File size 1.50 MB (1573141 bytes)
- SHA-256 fa6b91fbb44a2d297648f697ef006ab1f6692cd05c35159b17bea47036e43775
- File name Електронна позовна вимога.part1.rar [ RAR archive data, v5 ] !PWD
- File size 624.00 KB (638976 bytes)
- SHA-256 3d5e02b68324d032f88bf01058d9081b1d4a3e76bec37691e369f66ad0d8d44c
- File name Електронна позовна вимога.part2.rar [ RAR archive data, v5 ] !PWD
- File size 624.00 KB (638976 bytes)
- SHA-256 54d67baa08c39a917678d44284d90554f752e4c2eaf164708ff42438835d3d03
- File name Електронна позовна вимога.part3.rar [ RAR archive data, v5 ] !PWD
- File size 286.90 KB (293790 bytes)
- SHA-256 3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
- File name Електронна позовна вимога.exe [ PE32 executable ] ! UPX
- File size 1.52 MB (1591664 bytes)
- SHA-256 49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
- File name AutoIt3.exe [ PE32 executable ] ! Autoit v3
- File size 915.00 KB (936960 bytes)
- SHA-256 4a43882dff1b9fa72c5a5ff19d35584d83c59fda32a910544ca5543000a87d02
- File name GuardSync.exe [ PE32 executable ] ! Inno Setup installer
- File size 2.66 MB (2791280 bytes)
- SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- File name Trail.pif [ PE32 executable ] ! Autoit v3
- File size 924.59 KB (946784 bytes)
- SHA-256 825d577161eb5be9268f0974987f2f9433cef89540bf28b8245607b573d54aa0
- File name A (e) [ JavaScript ] ! remcos payload
- File size 996.95 KB (1020873 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 77_105_132_124 : 2404
- 77_105_132_124 : 80
- 77_105_132_124 : 8080
- 101_99_75_16 : 80
- netwrk
- --------------
- 77_105_132_124 2404 TCP 49200 → 2404 [SYN]
- 77_105_132_124 80 TCP 49201 → 80 [SYN]
- 77_105_132_124 8080 TCP 49202 → 8080 [SYN]
- 77_105_132_124 81 TCP 49203 → 81 [SYN]
- 101_99_75_16 80 TCP 49204 → 80 [SYN]
- comp
- --------------
- Trail.pif 1720 77_105_132_124 2404 ESTABLISHED
- Trail.pif 1720 77_105_132_124 80 ESTABLISHED
- Trail.pif 1720 77_105_132_124 8080 ESTABLISHED
- Trail.pif 1720 77_105_132_124 81 ESTABLISHED
- Trail.pif 1720 101_99_75_16 80 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\Електронна позовна вимога.exe
- C:\Windows\SysWOW64\cmd.exe cmd /k cmd < Internship & exit
- C:\Windows\SysWOW64\cmd.exe
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe"
- C:\Windows\SysWOW64\cmd.exe /c mkdir 10087
- C:\Windows\SysWOW64\cmd.exe /c copy /b Barely + Refinance + Presence + Ii + Pencil + Archive 10087\Trail.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Karaoke + Jessica + Relates 10087\A
- C:\TEMP\19235\10087\Trail.pif 10087\Trail.pif 10087\A
- C:\Windows\SysWOW64\dxdiag.exe /t C:\TEMP\sysinfo.txt
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & echo URL="C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & exit
- C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Extensions" /tr "wscript 'C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js'" /sc minute /mo 3 /F
- C:\Windows\SysWOW64\schtasks.exe /create /tn "Extensions" /tr "wscript 'C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js'" /sc minute /mo 3 /F
- {other context}
- C:\Windows\system32\taskeng.exe taskeng.exe {129FADE1-4375-4B9E-B29D-16DF8D3E8F24} S-1-5-21-136527031-2493574210-1221074019-1000:PD07MIL\private:Interactive:[1]
- C:\Windows\system32\wscript.EXE "C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js"
- C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.pif "C:\Users\operator\AppData\Local\GuardSync Dynamics\e"
- persist
- --------------
- #1_startup_folder
- GuardSync.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\guardsync.url 25.12.2023 19:47
- #2_task
- \Extensions c:\users\operator\appdata\local\guardsync dynamics\guardsync.js 25.12.2023 19:47
- drop
- --------------
- %temp%\19235\10087\Trail.pif
- C:\Users\*\AppData\Local\GuardSync Dynamics\GuardSync.js
- C:\Users\*\AppData\Local\GuardSync Dynamics\GuardSync.pif
- C:\Users\*\AppData\Local\GuardSync Dynamics\e
- # # # # # # # #
- additional info
- # # # # # # # #
- malware_config
- {
- "Version": "4.9.3 Pro",
- "Host:Port:Password": "77_105_132_124 : 2404",
- "Assigned name": "host1",
- "Connect interval": "1",
- "Install flag": "Disable",
- "Setup HKCU\\Run": "Enable",
- "Setup HKLM\\Run": "Enable",
- "Install path": "Application path",
- "Copy file": "remcos.exe",
- "Startup value": "Disable",
- "Hide file": "Disable",
- "Mutex": "tmdv-QRS916",
- "Keylog flag": "0",
- "Keylog path": "Application path",
- "Keylog file": "logs.dat",
- "Keylog crypt": "Disable",
- "Hide keylog file": "Disable",
- "Screenshot flag": "Disable",
- "Screenshot time": "10",
- "Take Screenshot option": "Disable",
- "Take screenshot title": "",
- "Take screenshot time": "5",
- "Screenshot path": "AppData",
- "Screenshot file": "Screenshots",
- "Screenshot crypt": "Disable",
- "Mouse option": "Disable",
- "Delete file": "Disable",
- "Audio record time": "5"
- }
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/f8467854bd660e06f5cc84add2393f383a0ba392ead7b5259ffe541966f3dec6/details
- https://www.virustotal.com/gui/file/fa6b91fbb44a2d297648f697ef006ab1f6692cd05c35159b17bea47036e43775/details
- https://www.virustotal.com/gui/file/3d5e02b68324d032f88bf01058d9081b1d4a3e76bec37691e369f66ad0d8d44c/details
- https://www.virustotal.com/gui/file/54d67baa08c39a917678d44284d90554f752e4c2eaf164708ff42438835d3d03/details
- https://www.virustotal.com/gui/file/3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579/details
- https://www.virustotal.com/gui/file/49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54/details
- https://www.virustotal.com/gui/file/4a43882dff1b9fa72c5a5ff19d35584d83c59fda32a910544ca5543000a87d02/details
- https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
- https://www.virustotal.com/gui/file/825d577161eb5be9268f0974987f2f9433cef89540bf28b8245607b573d54aa0/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement