API tools faq
paste
Advertisement
VRad

#remcos_251223

VRad
Dec 25th, 2023 (edited)
778
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.07 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #RAT #RAR #PWD #Autoit #WSH
  2.  
  3. https://pastebin.com/D535PVm3
  4.  
  5. previous_contact:
  6. 21/12/23 https://pastebin.com/samYnJq6
  7. 30/11/23 https://pastebin.com/aG6XyqHN
  8. 13/11/23 https://pastebin.com/tbRpiGG5
  9. 06/02/23 https://pastebin.com/kjv5E8Au
  10.  
  11. FAQ:
  12. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  13.  
  14.  
  15. attack_vector
  16. --------------
  17. email > att1 .RAR > (att2 + att3 + att4) .RAR (pwd) > .exe > Trail.pif > 77_105_132_124 + 101_99_75_16 > fingerprint & exfil
  18.  
  19.  
  20. # # # # # # # #
  21. email_headers
  22. # # # # # # # #
  23. Date: Mon, 25 Dec 2023 06:32:08 +0300
  24. From: Господарський суд Одеської області <reading@tanisklep.co.uk>
  25. Subject: Позовна заява номер: 815997 від: 25.12.2023
  26. Received: from relay-bulk1.stackmail.com ([185_151_28_78])
  27. Received: from [10_4_13_36] (helo=smtp2.lhr.stackcp.net)
  28. Received: from [79_137_196_215] (helo=WIN-LCETV91VPS6) (Exim 4.96)
  29. Reply-To: <inbox@od.arbitr.gov.ua>
  30. Message-Id: <E1rHbhI-00015t-36@smtp2.lhr.stackcp.net>
  31.  
  32.  
  33. # # # # # # # #
  34. files
  35. # # # # # # # #
  36.  
  37. SHA-256 f8467854bd660e06f5cc84add2393f383a0ba392ead7b5259ffe541966f3dec6
  38. File name Електронна позовна вимога.rar [ RAR archive data, v5 ]
  39. File size 1.50 MB (1573141 bytes)
  40.  
  41. SHA-256 fa6b91fbb44a2d297648f697ef006ab1f6692cd05c35159b17bea47036e43775
  42. File name Електронна позовна вимога.part1.rar [ RAR archive data, v5 ] !PWD
  43. File size 624.00 KB (638976 bytes)
  44.  
  45. SHA-256 3d5e02b68324d032f88bf01058d9081b1d4a3e76bec37691e369f66ad0d8d44c
  46. File name Електронна позовна вимога.part2.rar [ RAR archive data, v5 ] !PWD
  47. File size 624.00 KB (638976 bytes)
  48.  
  49. SHA-256 54d67baa08c39a917678d44284d90554f752e4c2eaf164708ff42438835d3d03
  50. File name Електронна позовна вимога.part3.rar [ RAR archive data, v5 ] !PWD
  51. File size 286.90 KB (293790 bytes)
  52.  
  53. SHA-256 3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579
  54. File name Електронна позовна вимога.exe [ PE32 executable ] ! UPX
  55. File size 1.52 MB (1591664 bytes)
  56.  
  57. SHA-256 49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54
  58. File name AutoIt3.exe [ PE32 executable ] ! Autoit v3
  59. File size 915.00 KB (936960 bytes)
  60.  
  61. SHA-256 4a43882dff1b9fa72c5a5ff19d35584d83c59fda32a910544ca5543000a87d02
  62. File name GuardSync.exe [ PE32 executable ] ! Inno Setup installer
  63. File size 2.66 MB (2791280 bytes)
  64.  
  65. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
  66. File name Trail.pif [ PE32 executable ] ! Autoit v3
  67. File size 924.59 KB (946784 bytes)
  68.  
  69. SHA-256 825d577161eb5be9268f0974987f2f9433cef89540bf28b8245607b573d54aa0
  70. File name A (e) [ JavaScript ] ! remcos payload
  71. File size 996.95 KB (1020873 bytes)
  72.  
  73.  
  74. # # # # # # # #
  75. activity
  76. # # # # # # # #
  77.  
  78. PL_SCR email_attach
  79.  
  80.  
  81. C2 77_105_132_124 : 2404
  82. 77_105_132_124 : 80
  83. 77_105_132_124 : 8080
  84. 101_99_75_16 : 80
  85.  
  86.  
  87. netwrk
  88. --------------
  89. 77_105_132_124 2404 TCP 49200 → 2404 [SYN]
  90. 77_105_132_124 80 TCP 49201 → 80 [SYN]
  91. 77_105_132_124 8080 TCP 49202 → 8080 [SYN]
  92. 77_105_132_124 81 TCP 49203 → 81 [SYN]
  93. 101_99_75_16 80 TCP 49204 → 80 [SYN]
  94.  
  95.  
  96.  
  97. comp
  98. --------------
  99. Trail.pif 1720 77_105_132_124 2404 ESTABLISHED
  100. Trail.pif 1720 77_105_132_124 80 ESTABLISHED
  101. Trail.pif 1720 77_105_132_124 8080 ESTABLISHED
  102. Trail.pif 1720 77_105_132_124 81 ESTABLISHED
  103. Trail.pif 1720 101_99_75_16 80 ESTABLISHED
  104.  
  105.  
  106. proc
  107. --------------
  108. C:\Users\operator\Desktop\Електронна позовна вимога.exe
  109. C:\Windows\SysWOW64\cmd.exe cmd /k cmd < Internship & exit
  110. C:\Windows\SysWOW64\cmd.exe
  111. C:\Windows\SysWOW64\tasklist.exe
  112. C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  113. C:\Windows\SysWOW64\tasklist.exe
  114. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe"
  115. C:\Windows\SysWOW64\cmd.exe /c mkdir 10087
  116. C:\Windows\SysWOW64\cmd.exe /c copy /b Barely + Refinance + Presence + Ii + Pencil + Archive 10087\Trail.pif
  117. C:\Windows\SysWOW64\cmd.exe /c copy /b Karaoke + Jessica + Relates 10087\A
  118. C:\TEMP\19235\10087\Trail.pif 10087\Trail.pif 10087\A
  119. C:\Windows\SysWOW64\dxdiag.exe /t C:\TEMP\sysinfo.txt
  120. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
  121. C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & echo URL="C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GuardSync.url" & exit
  122. C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Extensions" /tr "wscript 'C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js'" /sc minute /mo 3 /F
  123. C:\Windows\SysWOW64\schtasks.exe /create /tn "Extensions" /tr "wscript 'C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js'" /sc minute /mo 3 /F
  124.  
  125. {other context}
  126.  
  127. C:\Windows\system32\taskeng.exe taskeng.exe {129FADE1-4375-4B9E-B29D-16DF8D3E8F24} S-1-5-21-136527031-2493574210-1221074019-1000:PD07MIL\private:Interactive:[1]
  128. C:\Windows\system32\wscript.EXE "C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.js"
  129. C:\Users\operator\AppData\Local\GuardSync Dynamics\GuardSync.pif "C:\Users\operator\AppData\Local\GuardSync Dynamics\e"
  130.  
  131.  
  132. persist
  133. --------------
  134. #1_startup_folder
  135. GuardSync.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\guardsync.url 25.12.2023 19:47
  136.  
  137. #2_task
  138. \Extensions c:\users\operator\appdata\local\guardsync dynamics\guardsync.js 25.12.2023 19:47
  139.  
  140.  
  141. drop
  142. --------------
  143. %temp%\19235\10087\Trail.pif
  144. C:\Users\*\AppData\Local\GuardSync Dynamics\GuardSync.js
  145. C:\Users\*\AppData\Local\GuardSync Dynamics\GuardSync.pif
  146. C:\Users\*\AppData\Local\GuardSync Dynamics\e
  147.  
  148.  
  149. # # # # # # # #
  150. additional info
  151. # # # # # # # #
  152. malware_config
  153. {
  154. "Version": "4.9.3 Pro",
  155. "Host:Port:Password": "77_105_132_124 : 2404",
  156. "Assigned name": "host1",
  157. "Connect interval": "1",
  158. "Install flag": "Disable",
  159. "Setup HKCU\\Run": "Enable",
  160. "Setup HKLM\\Run": "Enable",
  161. "Install path": "Application path",
  162. "Copy file": "remcos.exe",
  163. "Startup value": "Disable",
  164. "Hide file": "Disable",
  165. "Mutex": "tmdv-QRS916",
  166. "Keylog flag": "0",
  167. "Keylog path": "Application path",
  168. "Keylog file": "logs.dat",
  169. "Keylog crypt": "Disable",
  170. "Hide keylog file": "Disable",
  171. "Screenshot flag": "Disable",
  172. "Screenshot time": "10",
  173. "Take Screenshot option": "Disable",
  174. "Take screenshot title": "",
  175. "Take screenshot time": "5",
  176. "Screenshot path": "AppData",
  177. "Screenshot file": "Screenshots",
  178. "Screenshot crypt": "Disable",
  179. "Mouse option": "Disable",
  180. "Delete file": "Disable",
  181. "Audio record time": "5"
  182. }
  183.  
  184. # # # # # # # #
  185. VT & Intezer
  186. # # # # # # # #
  187. https://www.virustotal.com/gui/file/f8467854bd660e06f5cc84add2393f383a0ba392ead7b5259ffe541966f3dec6/details
  188. https://www.virustotal.com/gui/file/fa6b91fbb44a2d297648f697ef006ab1f6692cd05c35159b17bea47036e43775/details
  189. https://www.virustotal.com/gui/file/3d5e02b68324d032f88bf01058d9081b1d4a3e76bec37691e369f66ad0d8d44c/details
  190. https://www.virustotal.com/gui/file/54d67baa08c39a917678d44284d90554f752e4c2eaf164708ff42438835d3d03/details
  191. https://www.virustotal.com/gui/file/3830e8249b95e86065288cb7a00ee9139d9e2fd918ff9c7e427e8684c1481579/details
  192. https://www.virustotal.com/gui/file/49f726559690aee6d88cfb1e775bbcbb53686d5655cb127f334e2bd51e596a54/details
  193. https://www.virustotal.com/gui/file/4a43882dff1b9fa72c5a5ff19d35584d83c59fda32a910544ca5543000a87d02/details
  194. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
  195. https://www.virustotal.com/gui/file/825d577161eb5be9268f0974987f2f9433cef89540bf28b8245607b573d54aa0/details
  196.  
  197. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!