#remcos_async_140224

1. #IOC #OptiData #VR #Remcos #AsyncRAT #AutoIT #PWD
2.  
3. https://pastebin.com/Ddgk9Uuv
4.  
5. previous_contact:
6. 13/02/24 https://pastebin.com/GNZ1JF9A
7. 25/01/24 https://pastebin.com/cud9xwfs
8. 19/01/24 https://pastebin.com/EvXHfZUB
9. 18/01/24 https://pastebin.com/FL2fX362
10.  
11. FAQ:
12. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
13. https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
14.  
15. attack_vector
16. --------------
17. email URL > bitbucket > GET .exe1 > .pif > .exe2 > RegAsm.exe > C2
18.  
19. # # # # # # # #
20. email_headers
21. # # # # # # # #
22. n/a
23.  
24. # # # # # # # #
25. files
26. # # # # # # # #
27. SHA-256 a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
28. File name MedicationRoy.exe
29.  
30. SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
31. File name Biography.pif , Supporting.pif , Be.pif
32.  
33. SHA-256 412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb
34. File name vns.exe
35.  
36. # # # # # # # #
37. activity
38. # # # # # # # #
39.  
40. PL_SCR bitbucket_org /obmens/file/downloads/ MedicationRoy.exe
41.  
42. C2 77_105_132_92 : 2404:21:81:80:465:463:60989:4899
43.  
44. netwrk
45. --------------
46. 77_105_132_92 2404 TCP 49244 → 2404 [SYN]
47. 77_105_132_94 8080 TCP 49247 → 8080 [SYN]
48.  
49. comp
50. --------------
51. Supporting.pif 2272 TCP 77_105_132_92 2404 ESTABLISHED
52. [System] 0 TCP 77_105_132_92 2404 ESTABLISHED
53. RegAsm.exe 4608 TCP 77_105_132_94 8080 ESTABLISHED
54.  
55. proc
56. --------------
57. C:\Users\operator\Desktop\MedicationRoy.exe
58. "C:\Windows\System32\cmd.exe" /k move Adds Adds.bat & Adds.bat & exit
59. C:\Windows\SysWOW64\tasklist.exe
60. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
61. C:\Windows\SysWOW64\tasklist.exe
62. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
63. C:\Windows\SysWOW64\cmd.exe /c md 31086
64. C:\Windows\SysWOW64\cmd.exe /c copy /b Reduction + Grew + Pub + Suburban + Nest 31086\Supporting.pif
65. C:\Windows\SysWOW64\cmd.exe /c copy /b Merchandise + Certificate + Building 31086\e
66. C:\TEMP\7ZipSfx.000\31086\Supporting.pif 31086\e
67. C:\TEMP\7ZipSfx.000\31086\Supporting.pif /stext "C:\TEMP\xfxdnzwxozrkuarkmnlggujbbuxtdqjf"
68. C:\TEMP\7ZipSfx.000\31086\Supporting.pif /stext "C:\TEMP\hhcoo"
69. C:\TEMP\vns.exe
70. C:\Windows\SysWOW64\cmd.exe /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
71. C:\Windows\SysWOW64\tasklist.exe
72. C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
73. C:\Windows\SysWOW64\tasklist.exe
74. C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
75. C:\Windows\SysWOW64\cmd.exe /c md 31197
76. C:\Windows\SysWOW64\cmd.exe /c copy /b Compound + Injection + Emotions + Worm 31197\Be.pif
77. C:\Windows\SysWOW64\cmd.exe /c copy /b Certain + Damages 31197\m
78. C:\TEMP\54941\31197\Be.pif 31197\m
79. C:\Windows\SysWOW64\PING.EXE -n 5 localhost
80. C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkillForge.url" & echo URL="C:\Users\operator\AppData\Local\LearnCraft Academy Inc\SkillForge.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkillForge.url" & exit
81. C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & echo URL="C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & exit
82. C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
83. C:\Windows\SysWOW64\schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
84. C:\TEMP\54941\31197\RegAsm.exe
85.  
86. persist
87. --------------
88. SecureSphereR.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\securespherer.url 14.02.2024 15:39
89. SkillForge.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\skillforge.url 14.02.2024 15:38
90.  
91. \Nt c:\users\operator\appdata\local\safeguard systems inc\securespherer.js 14.02.2024 15:39
92.  
93. drop
94. --------------
95. %temp%\54941\Be
96. %temp%\54941\m
97. %temp%\54941\RegAsm.exe
98. %temp%\7ZipSfx.000\31086\Supporting
99. %temp%\7ZipSfx.000\31086\e
100. %temp%\vns.exe
101.  
102. C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\*
103. C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\*
104. C:\Users\USER_NAME\AppData\Roaming\MyData\DataLogs.conf
105.  
106. C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url
107. C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumGuard.url
108.  
109. # # # # # # # #
110. additional info
111. # # # # # # # #
112. n/a
113.  
114. # # # # # # # #
115. VT & Intezer
116. # # # # # # # #
117. https://www.virustotal.com/gui/file/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54/details
118. https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
119. https://www.virustotal.com/gui/file/412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb/details
120.  
121.  
122. VR