Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #RAT #RAR #PWD #EXE #PowerShell
- https://pastebin.com/FL2fX362
- previous_contact:
- 25/12/23 https://pastebin.com/D535PVm3
- 21/12/23 https://pastebin.com/samYnJq6
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- 06/02/23 https://pastebin.com/kjv5E8Au
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email attach .zip > (.rar1 + .rar2) PWD > .exe1 > get bitbucket_org > .exe2 > 185_70_104_90 & 77_105_132_70 > fingerprint & exfil
- # # # # # # # #
- email_headers
- # # # # # # # #
- _1
- Date: Thu, 18 Jan 2024, 14:42:50
- From: "Ржепішевський Колодар Августинович" <account@toukou-syouji.com>
- Subject: Запит документів (ЦУ СБУ)
- - - - - - -
- _2
- Date: Thu, 18 Jan 2024 15:38:32 +0300
- From: Кобець Ігор Захарович <support@kafuksa.info>
- Subject: Запит документів (ЦУ СБУ)
- Received: from aye_pine_relay_mailchannels.net [23_83_219_6])
- Message-ID: <1705581527837.56d9a0ac63b6629c@kafuksa.info>
- Return-Path: <support@kafuksa.info>
- - - - - - -
- _3
- Date: Thu, 18 Jan 2024 15:46:51 +0300
- From: Каніщенко Злотан Найденович <axunjonova06@umail.uz>
- Subject: Запит документів (ЦУ СБУ)
- Received: from mx1_umail_uz ([91_212_89_101])
- Received: from WIN-LCETV91VPS6 (unknown [77_105_147_100])
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 32d3e0a2f60e69f21634e8acc853d5d62f86eddf13d8897355e6405c5ffc4d87
- File name Запит документів.zip [ Zip archive data ]
- File size 58.14 KB (59533 bytes)
- SHA-256 d47694c0f3b49ae16b9f02f41268e4ee780c1cc6b43a11ed3795362e6d61aa26
- File name Запит документів.part1.rar [ RAR archive data, v5 ] PWD!
- File size 30.00 KB (30720 bytes)
- SHA-256 f973ff313b0c75ede4a37fcf4df91f6e793c6daa875d3e2cb950f0e899ff8e1f
- File name Запит документів.part2.rar [ RAR archive data, v5 ] PWD!
- File size 27.14 KB (27790 bytes)
- SHA-256 db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
- File name Запит документів.exe [ PE32 Compiler: PureBasic ] Dropper!
- File size 113.00 KB (115712 bytes)
- SHA-256 4effb7493819e25c61af5e224d8a774652957b99ec1faca19e1c84bd0c9ff840
- File name hostcr.exe / host.exe [ PE32 executable , .NET ] Remcos!
- File size
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org / yener3 / yener3 / downloads / hostcr.exe
- C2 185_70_104_90 :2404
- 185_70_104_90 :8080
- 185_70_104_90 :80
- 185_70_104_90 :465
- 77_105_132_70 :2404
- 77_105_132_70 :8080
- 77_105_132_70 :80
- 77_105_132_70 :465
- netwrk
- --------------
- 104_192_141_1 bitbucket_org 443 TLSv1.2 Client Hello
- 52_217_159_9 bbuseruploads_s3_amazonaws_com 443 TLSv1.2 Client Hello
- 185_70_104_90 2404 TCP 49233 → 2404 [SYN]
- 185_70_104_90 8080 TCP 49234 → 8080 [SYN]
- 185_70_104_90 465 TCP 49235 → 465 [SYN]
- 77_105_132_70 80 TCP 49237 → 80 [SYN]
- 77_105_132_70 8080 TCP 49238 → 8080 [SYN]
- comp
- --------------
- powershell.exe 3008 TCP 104_192_141_1 443 ESTABLISHED
- powershell.exe 3008 TCP 52_217_159_9 443 ESTABLISHED
- host.exe 3208 TCP 185_70_104_90 2404 ESTABLISHED
- host.exe 3208 TCP 77_105_132_70 8080 ESTABLISHED
- host.exe 3208 TCP 77_105_132_70 8080 ESTABLISHED
- proc
- --------------
- C:\Users\operator\Desktop\Запит документів.exe
- "C:\Windows\sysnative\cmd" /c "C:\TEMP\439F.tmp\43A0.tmp\43A1.bat "C:\Users\operator\Desktop\Запит документів.exe""
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command :From_Base64String_...
- "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d "powershell.exe ...
- "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
- "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
- "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
- C:\Users\operator\AppData\Roaming\hostcr.exe
- C:\Users\operator\AppData\Roaming\hostcr.exe
- C:\ProgramData\updates\host.exe
- C:\ProgramData\updates\host.exe
- C:\ProgramData\updates\host.exe /stext "C:\TEMP\yhltikx"
- C:\ProgramData\updates\host.exe /stext "C:\TEMP\ijzmjdhjow"
- C:\ProgramData\updates\host.exe /stext "C:\TEMP\tdexknslbeerct"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.01.2024 20:02
- vgd-YS3L24 Python 3.10.0 (64-bit)
- Python Software Foundation c:\programdata\updates\host.exe 17.01.2024 16:27
- drop
- --------------
- C:\Users\operator\AppData\Roaming\hostcr.exe
- C:\ProgramData\updates\host.exe
- C:\ProgramData\updates\logs.dat
- %temp%\yhltikx
- %temp%\ijzmjdhjow
- # # # # # # # #
- additional info
- # # # # # # # #
- {version 4.9.3 Pro
- install flag true
- HKCU registry run key flag true
- mutex vgd-YS3L24
- keylog folder updates
- }
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/32d3e0a2f60e69f21634e8acc853d5d62f86eddf13d8897355e6405c5ffc4d87/details
- https://www.virustotal.com/gui/file/d47694c0f3b49ae16b9f02f41268e4ee780c1cc6b43a11ed3795362e6d61aa26/details
- https://www.virustotal.com/gui/file/f973ff313b0c75ede4a37fcf4df91f6e793c6daa875d3e2cb950f0e899ff8e1f/details
- https://www.virustotal.com/gui/file/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0/details
- https://analyze.intezer.com/analyses/18e34f1d-9074-4d13-88ef-542559acb68c/behavior
- https://www.virustotal.com/gui/file/4effb7493819e25c61af5e224d8a774652957b99ec1faca19e1c84bd0c9ff840/details
- https://analyze.intezer.com/analyses/45d0dab0-1e14-4e38-a7b7-0ef5db268b67/behavior
- https://www.unpac.me/results/f886cf31-4369-45fb-85de-58bbcffba65b#/
- VR
Add Comment
Please, Sign In to add comment