Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Remcos #AsyncRAT #VenomRAT #AutoIT #PWD
- https://pastebin.com/GNZ1JF9A
- previous_contact:
- 25/01/24 https://pastebin.com/cud9xwfs
- 19/01/24 https://pastebin.com/EvXHfZUB
- 18/01/24 https://pastebin.com/FL2fX362
- 25/12/23 https://pastebin.com/D535PVm3
- 21/12/23 https://pastebin.com/samYnJq6
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
- https://malpedia.caad.fkie.fraunhofer.de/details/win.venom
- attack_vector
- --------------
- email URL > bitbucket > GET .7z > .rar (PWD) > .exe1 > .pif > .exe2 > RegAsm.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Tue, 13 Feb 2024 14:41:59 +0300
- Subject: Запит № 85305 від: 13.02.2024
- From: Отрощенко Панас Світанович <noreply@ system - gps - alert_com>
- Reply-To: Федорчук Івантослав Максимович <info@ svenscholten_com>
- Received: from out196 - 21_us_a_dm_aliyun_com ([47_90_196_21])
- Received: from DESKTOP - TCRDU4C
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 6da76fadb53eea635f7facf80d210b66633a9f873fd6ae9ee76ab34a5a14fa75
- File name Zapit_Nalog_1302-09_Medoc.7z
- SHA-256 71677abac5fb8cdbfc3d40c165a0b90b7767aef32c315d7eadaeec6e5cab8735
- File name Електронний запит від податкової служби.docx.rar
- SHA-256 40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02
- File name Електронний запит від податкової служби.docx.exe
- SHA-256 412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb
- File name vns.exe
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org /obmens/file/downloads/ Zapit_Nalog_1302-09_Medoc.7z
- bitbucket_org /obmens/file/downloads/ vns.exe
- C2 Remcos
- 77_105_132_92:2404
- Async/Venom
- 77_105_132_94:4449
- 77_105_132_94:80
- 77_105_132_94:8080
- 77_105_132_94:465
- netwrk
- --------------
- 77_105_132_92 2404 TCP 49242 → 2404 [SYN]
- 77_105_132_94 80 TCP 49245 → 80 [SYN]
- comp
- --------------
- Posts.pif 2136 TCP 77_105_132_92 2404 ESTABLISHED
- [System Process] TCP 77_105_132_92 2404 ESTABLISHED
- RegAsm.exe 3536 TCP 77_105_132_94 80 ESTABLISHED
- Posts.pif 2136 TCP 77_105_132_92 2404 ESTABLISHED
- RegAsm.exe 3536 TCP 77_105_132_94 80 ESTABLISHED
- proc
- --------------
- C:\Users\USER_NAME\Desktop\files1302\Електронний запит від податкової служби.docx.exe
- C:\Windows\SysWOW64\cmd.exe move Framed Framed.bat & Framed.bat & exit
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 9229
- C:\Windows\SysWOW64\cmd.exe /c copy /b Graduation + Rp + Negative + Accurate + Bracket 9229\Posts.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Textbooks + Possible + Coupled 9229\t
- C:\TEMP\57020\9229\Posts.pif 9229\t
- C:\TEMP\57020\9229\Posts.pif /stext "C:\TEMP\uuejiithfbhhogku"
- C:\TEMP\57020\9229\Posts.pif /stext "C:\TEMP\fosbjambbjzurmyggpgg"
- C:\TEMP\57020\9229\Posts.pif /stext "C:\TEMP\pqxujtxdpsrzbsmkyztihdj"
- C:\TEMP\vns.exe
- C:\Windows\SysWOW64\cmd.exe /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
- C:\Windows\SysWOW64\tasklist.exe
- C:\Windows\SysWOW64\findstr.exe /I "wrsa.exe opssvc.exe"
- C:\Windows\SysWOW64\cmd.exe /c md 9307
- C:\Windows\SysWOW64\cmd.exe /c copy /b Compound + Injection + Emotions + Worm 9307\Be.pif
- C:\Windows\SysWOW64\cmd.exe /c copy /b Certain + Damages 9307\m
- C:\TEMP\15609\9307\Be.pif 9307\m
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- C:\Windows\SysWOW64\PING.EXE -n 5 localhost
- C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumGuard.url" & echo URL="C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\QuantumGuard.js" >> "C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumGuard.url" & exit
- C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Legislation" /tr "wscript 'C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\QuantumGuard.js'" /sc minute /mo 3 /F
- C:\Windows\SysWOW64\schtasks.exe /create /tn "Legislation" /tr "wscript 'C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\QuantumGuard.js'" /sc minute /mo 3 /F
- C:\Windows\SysWOW64\cmd.exe /k echo [InternetShortcut] > "C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & echo URL="C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js" >> "C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url" & exit
- C:\Windows\SysWOW64\cmd.exe /c schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
- C:\Windows\SysWOW64\schtasks.exe /create /tn "Nt" /tr "wscript 'C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\SecureSphereR.js'" /sc minute /mo 3 /F
- C:\TEMP\15609\9307\RegAsm.exe
- persist
- --------------
- startup_folder
- QuantumGuard.url c:\users\USER_NAME\appdata\roaming\microsoft\windows\start menu\programs\startup\quantumguard.url 13.02.2024 15:29
- target -> C:/Users/USER_NAME/AppData/Local/QuantumSec%20Systems/QuantumGuard.js
- SecureSphereR.url c:\users\USER_NAME\appdata\roaming\microsoft\windows\start menu\programs\startup\securespherer.url 13.02.2024 15:29
- target -> C:/Users/USER_NAME/AppData/Local/SafeGuard%20Systems%20Inc/SecureSphereR.js
- tasks
- \Legislation c:\users\USER_NAME\appdata\local\quantumsec systems\quantumguard.js 13.02.2024 15:29
- \Nt c:\users\USER_NAME\appdata\local\safeguard systems inc\securespherer.js 13.02.2024 15:29
- drop
- --------------
- %temp%\vns.exe
- %temp%\15609\9307\Be
- %temp%\15609\9307\m
- %temp%\15609\9307\RegAsm.exe
- %temp%\57020\9229\Posts
- %temp%\57020\9229\t
- %temp%\fosbjambbjzurmyggpgg
- %temp%\fwtsqmfile00.sqm
- C:\Users\USER_NAME\AppData\Local\SafeGuard Systems Inc\*
- C:\Users\USER_NAME\AppData\Local\QuantumSec Systems\*
- C:\Users\USER_NAME\AppData\Roaming\MyData\DataLogs.conf
- C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureSphereR.url
- C:\Users\USER_NAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumGuard.url
- # # # # # # # #
- additional info
- # # # # # # # #
- VenomRAT config
- "Server": "77_105_132_94",
- "Ports": "4449,80,8080,465",
- "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3",
- "Autorun": "false",
- "Install_Folder": "%AppData%",
- "AES_key": "ewzQQkKb2L84tiZEIqI9PQwVg3Do2EXO",
- "Mutex": "unqcqotrpzwqx",
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/url/2ca55c8a4b6400585a465738f31724e78a530ff9ab1836a9e3481f9e860f8540/details
- https://www.virustotal.com/gui/file/6da76fadb53eea635f7facf80d210b66633a9f873fd6ae9ee76ab34a5a14fa75/details
- https://www.virustotal.com/gui/file/71677abac5fb8cdbfc3d40c165a0b90b7767aef32c315d7eadaeec6e5cab8735/details
- https://www.virustotal.com/gui/file/40aa56690dafef35b08b83eebf12c694f5cec88c6ba1ff9f499fff5a5da1ef02/details
- https://analyze.intezer.com/analyses/54047516-0e47-45a4-9234-9bef44e933a7/genetic-analysis
- https://www.virustotal.com/gui/url/97391e6870d56a89468f4a3e01813f85155ff742efba181f4c36580b9b7ae740/details
- https://www.virustotal.com/gui/file/412ea561f1fddaab3c4a0543031a61b63e762461e32554e2927e6fc0212ac6cb/details
- https://analyze.intezer.com/analyses/7978e003-0ce7-4672-8bf7-1ab3e8287b7d
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement