Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Remcos #AsyncRAT #AutoIT #PWD
- https://pastebin.com/Ddgk9Uuv
- previous_contact:
- 13/02/24 https://pastebin.com/GNZ1JF9A
- 25/01/24 https://pastebin.com/cud9xwfs
- 19/01/24 https://pastebin.com/EvXHfZUB
- 18/01/24 https://pastebin.com/FL2fX362
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
- attack_vector
- --------------
- email URL > bitbucket > GET .exe1 > .pif > .exe2 > RegAsm.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- n/a
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54
- File name MedicationRoy.exe
- SHA-256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
- File name Biography.pif , Supporting.pif , Be.pif
- SHA-256 412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb
- File name vns.exe
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org /obmens/file/downloads/ MedicationRoy.exe
- C2 77_105_132_92 : 2404:21:81:80:465:463:60989:4899
- netwrk
- --------------
- 77_105_132_92 2404 TCP 49244 → 2404 [SYN]
- 77_105_132_94 8080 TCP 49247 → 8080 [SYN]
- comp
- --------------
- Supporting.pif 2272 TCP 77_105_132_92 2404 ESTABLISHED
- [System] 0 TCP 77_105_132_92 2404 ESTABLISHED
- RegAsm.exe 4608 TCP 77_105_132_94 8080 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\MedicationRoy.exe
- "C:\Windows\System32\cmd.exe" /k move Adds Adds.bat & Adds.bat & exit
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 31086
- C:\Windows\SysWOW64\cmd.exe /c copy /b Reduction + Grew + Pub + Suburban + Nest 31086\Supporting.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Merchandise + Certificate + Building 31086\e
- C:\TEMP\7ZipSfx.000\31086\Supporting.pif 31086\e
- C:\TEMP\7ZipSfx.000\31086\Supporting.pif /stext "C:\TEMP\xfxdnzwxozrkuarkmnlggujbbuxtdqjf"
- C:\TEMP\7ZipSfx.000\31086\Supporting.pif /stext "C:\TEMP\hhcoo"
- C:\TEMP\vns.exe
- C:\Windows\SysWOW64\cmd.exe /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 31197
- C:\Windows\SysWOW64\cmd.exe /c copy /b Compound + Injection + Emotions + Worm 31197\Be.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Certain + Damages 31197\m
- C:\TEMP\54941\31197\Be.pif 31197\m
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkillForge.url" & echo URL="C:\Users\operator\AppData\Local\LearnCraft Academy Inc\SkillForge.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkillForge.url" & exit
- C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & echo URL="C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js" >> "C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & exit
- C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
- C:\Windows\SysWOW64\schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\operator\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
- C:\TEMP\54941\31197\RegAsm.exe
- persist
- --------------
- SecureSphereR.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\securespherer.url 14.02.2024 15:39
- SkillForge.url c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\skillforge.url 14.02.2024 15:38
- \Nt c:\users\operator\appdata\local\safeguard systems inc\securespherer.js 14.02.2024 15:39
- drop
- --------------
- %temp%\54941\Be
- %temp%\54941\m
- %temp%\54941\RegAsm.exe
- %temp%\7ZipSfx.000\31086\Supporting
- %temp%\7ZipSfx.000\31086\e
- %temp%\vns.exe
- C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\*
- C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\*
- C:\Users\USER_NAME\AppData\Roaming\MyData\DataLogs.conf
- C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url
- C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumGuard.url
- # # # # # # # #
- additional info
- # # # # # # # #
- n/a
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/a12adcef2a153e0926843befaad18c7378d8d1b698400c51a69b229f99979d54/details
- https://www.virustotal.com/gui/file/f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3/details
- https://www.virustotal.com/gui/file/412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement