#remcos_180124

1. #IOC #OptiData #VR #remcos #RAT #RAR #PWD #EXE #PowerShell
2.  
3. https://pastebin.com/FL2fX362
4.  
5. previous_contact:
6. 25/12/23 https://pastebin.com/D535PVm3
7. 21/12/23 https://pastebin.com/samYnJq6
8. 30/11/23 https://pastebin.com/aG6XyqHN
9. 13/11/23 https://pastebin.com/tbRpiGG5
10. 06/02/23 https://pastebin.com/kjv5E8Au
11.  
12. FAQ:
13. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
14.  
15. attack_vector
16. --------------
17. email attach .zip > (.rar1 + .rar2) PWD > .exe1 > get bitbucket_org > .exe2 > 185_70_104_90 & 77_105_132_70 > fingerprint & exfil
18.  
19. # # # # # # # #
20. email_headers
21. # # # # # # # #
22. _1
23. Date: Thu, 18 Jan 2024, 14:42:50
24. From: "Ржепішевський Колодар Августинович" <account@toukou-syouji.com>
25. Subject: Запит документів (ЦУ СБУ)
26. - - - - - -
27. _2
28. Date: Thu, 18 Jan 2024 15:38:32 +0300
29. From: Кобець Ігор Захарович <support@kafuksa.info>
30. Subject: Запит документів (ЦУ СБУ)
31. Received: from aye_pine_relay_mailchannels.net [23_83_219_6])
32. Message-ID: <1705581527837.56d9a0ac63b6629c@kafuksa.info>
33. Return-Path: <support@kafuksa.info>
34. - - - - - -
35. _3
36. Date: Thu, 18 Jan 2024 15:46:51 +0300
37. From: Каніщенко Злотан Найденович <axunjonova06@umail.uz>
38. Subject: Запит документів (ЦУ СБУ)
39. Received: from mx1_umail_uz ([91_212_89_101])
40. Received: from WIN-LCETV91VPS6 (unknown [77_105_147_100])
41.  
42. # # # # # # # #
43. files
44. # # # # # # # #
45. SHA-256 32d3e0a2f60e69f21634e8acc853d5d62f86eddf13d8897355e6405c5ffc4d87
46. File name Запит документів.zip [ Zip archive data ]
47. File size 58.14 KB (59533 bytes)
48.  
49. SHA-256 d47694c0f3b49ae16b9f02f41268e4ee780c1cc6b43a11ed3795362e6d61aa26
50. File name Запит документів.part1.rar [ RAR archive data, v5 ] PWD!
51. File size 30.00 KB (30720 bytes)
52.  
53. SHA-256 f973ff313b0c75ede4a37fcf4df91f6e793c6daa875d3e2cb950f0e899ff8e1f
54. File name Запит документів.part2.rar [ RAR archive data, v5 ] PWD!
55. File size 27.14 KB (27790 bytes)
56.  
57. SHA-256 db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0
58. File name Запит документів.exe [ PE32 Compiler: PureBasic ] Dropper!
59. File size 113.00 KB (115712 bytes)
60.  
61. SHA-256 4effb7493819e25c61af5e224d8a774652957b99ec1faca19e1c84bd0c9ff840
62. File name hostcr.exe / host.exe [ PE32 executable , .NET ] Remcos!
63. File size
64.  
65. # # # # # # # #
66. activity
67. # # # # # # # #
68.  
69. PL_SCR bitbucket_org / yener3 / yener3 / downloads / hostcr.exe
70.  
71. C2 185_70_104_90 :2404
72. 185_70_104_90 :8080
73. 185_70_104_90 :80
74. 185_70_104_90 :465
75. 77_105_132_70 :2404
76. 77_105_132_70 :8080
77. 77_105_132_70 :80
78. 77_105_132_70 :465
79.  
80. netwrk
81. --------------
82. 104_192_141_1 bitbucket_org 443 TLSv1.2 Client Hello
83. 52_217_159_9 bbuseruploads_s3_amazonaws_com 443 TLSv1.2 Client Hello
84.  
85. 185_70_104_90 2404 TCP 49233 → 2404 [SYN]
86. 185_70_104_90 8080 TCP 49234 → 8080 [SYN]
87. 185_70_104_90 465 TCP 49235 → 465 [SYN]
88.  
89. 77_105_132_70 80 TCP 49237 → 80 [SYN]
90. 77_105_132_70 8080 TCP 49238 → 8080 [SYN]
91.  
92. comp
93. --------------
94. powershell.exe 3008 TCP 104_192_141_1 443 ESTABLISHED
95. powershell.exe 3008 TCP 52_217_159_9 443 ESTABLISHED
96. host.exe 3208 TCP 185_70_104_90 2404 ESTABLISHED
97. host.exe 3208 TCP 77_105_132_70 8080 ESTABLISHED
98. host.exe 3208 TCP 77_105_132_70 8080 ESTABLISHED
99.  
100. proc
101. --------------
102. C:\Users\operator\Desktop\Запит документів.exe
103. "C:\Windows\sysnative\cmd" /c "C:\TEMP\439F.tmp\43A0.tmp\43A1.bat "C:\Users\operator\Desktop\Запит документів.exe""
104. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command :From_Base64String_...
105. "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\.omg\Shell\Open\command /d "powershell.exe ...
106. "C:\Windows\system32\reg.exe" add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
107. "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\.omg\ /f
108. "C:\Windows\system32\reg.exe" delete HKCU\Software\Classes\ms-settings\ /f
109. C:\Users\operator\AppData\Roaming\hostcr.exe
110. C:\Users\operator\AppData\Roaming\hostcr.exe
111. C:\ProgramData\updates\host.exe
112. C:\ProgramData\updates\host.exe
113. C:\ProgramData\updates\host.exe /stext "C:\TEMP\yhltikx"
114. C:\ProgramData\updates\host.exe /stext "C:\TEMP\ijzmjdhjow"
115. C:\ProgramData\updates\host.exe /stext "C:\TEMP\tdexknslbeerct"
116.  
117. persist
118. --------------
119. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 18.01.2024 20:02
120. vgd-YS3L24 Python 3.10.0 (64-bit)
121. Python Software Foundation c:\programdata\updates\host.exe 17.01.2024 16:27
122.  
123. drop
124. --------------
125. C:\Users\operator\AppData\Roaming\hostcr.exe
126. C:\ProgramData\updates\host.exe
127. C:\ProgramData\updates\logs.dat
128. %temp%\yhltikx
129. %temp%\ijzmjdhjow
130.  
131. # # # # # # # #
132. additional info
133. # # # # # # # #
134. {version 4.9.3 Pro
135. install flag true
136. HKCU registry run key flag true
137. mutex vgd-YS3L24
138. keylog folder updates
139. }
140. # # # # # # # #
141. VT & Intezer
142. # # # # # # # #
143. https://www.virustotal.com/gui/file/32d3e0a2f60e69f21634e8acc853d5d62f86eddf13d8897355e6405c5ffc4d87/details
144. https://www.virustotal.com/gui/file/d47694c0f3b49ae16b9f02f41268e4ee780c1cc6b43a11ed3795362e6d61aa26/details
145. https://www.virustotal.com/gui/file/f973ff313b0c75ede4a37fcf4df91f6e793c6daa875d3e2cb950f0e899ff8e1f/details
146. https://www.virustotal.com/gui/file/db818294e50a757b1511cb2ac06b678e829c5328e920c5105ec30985e585b2c0/details
147. https://analyze.intezer.com/analyses/18e34f1d-9074-4d13-88ef-542559acb68c/behavior
148. https://www.virustotal.com/gui/file/4effb7493819e25c61af5e224d8a774652957b99ec1faca19e1c84bd0c9ff840/details
149. https://analyze.intezer.com/analyses/45d0dab0-1e14-4e38-a7b7-0ef5db268b67/behavior
150. https://www.unpac.me/results/f886cf31-4369-45fb-85de-58bbcffba65b#/
151.  
152. VR