API tools faq
paste
VRad

#remcos_130824

VRad
Aug 13th, 2024 (edited)
88
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.93 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #RegAsm #PowerShell
  2.  
  3. https://pastebin.com/VDVp6hSi
  4.  
  5. previous_contact:
  6. 19/01/24 https://pastebin.com/EvXHfZUB
  7. 18/01/24 https://pastebin.com/FL2fX362
  8. 25/12/23 https://pastebin.com/D535PVm3
  9. 21/12/23 https://pastebin.com/samYnJq6
  10. 30/11/23 https://pastebin.com/aG6XyqHN
  11. 13/11/23 https://pastebin.com/tbRpiGG5
  12. 06/02/23 https://pastebin.com/kjv5E8Au
  13.  
  14. FAQ:
  15. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  16.  
  17. attack_vector
  18. --------------
  19. email attach .xla (VBA) > get .doc (11882) > get .vbs > powershell > get base64 > get .jpeg (stego) > get .txt > decode > inject RegAsm.exe > C2
  20.  
  21.  
  22. # # # # # # # #
  23. email_headers
  24. # # # # # # # #
  25. Date: 13 Aug 2024 04:18:41 +0000
  26. From: "OCBC Bank|Account Mngr (m .papolzi -ocbcbank .com)" <customercare @appaelingproduct .com>
  27. Subject: RE: PI_PA0092000121
  28. Received: from box0 .appaelingproduct .com ([185 .123 .102 .38])
  29. Message-ID: <20240813041841.E40A6B787349C5B4 @appaelingproduct .com>
  30.  
  31. # # # # # # # #
  32. files
  33. # # # # # # # #
  34. SHA-256 07ff6518739dbf4f160dfe9a208aa122953ad0c5d0a10d3b05dba1b79e2ac271
  35. File name PI_PA0092000121.xla
  36. File size 451.00 KB (461824 bytes)
  37.  
  38. SHA-256 84f9bf00cac9b861c3088374d9031eba43506392ec66aa2ebaa9f2b1f7ad3705
  39. File name wearegreattogetmebackwtihsuperattitudeleversheisverybeatygirlfrndofmysheknowthatshewanttolvoerme__________untileiloveherwithalldays.doc
  40. File size 104.78 KB (107298 bytes)
  41.  
  42. SHA-256 1ffaf58260c6eb0fb2d33091a9aa48a48ea3d54e3b201b129c7b252d79e83333
  43. File name shestudentgreatloverevergetme.vbS
  44. File size 181.19 KB (185536 bytes)
  45.  
  46. SHA-256 ebe7c0a067c87ada62581531981365304364f4675be7cde328201395e942af9c
  47. File name vbs.jpeg
  48. File size 1.84 MB (1929861 bytes)
  49.  
  50. SHA-256 226c1a354cd215bd32f5f74145a2441403c71c5904150d04d0d5709030d6ee14
  51. File name CAMM.txt
  52. File size 644.00 KB (659456 bytes)
  53.  
  54. # # # # # # # #
  55. activity
  56. # # # # # # # #
  57.  
  58. PL_SCR http:// servidorwindows _ddns _com _br/Files/vbs.jpeg
  59. 192_3_64_157 /141 /CAMM.txt
  60.  
  61. C2 192_3_101_29
  62.  
  63. netwrk
  64. --------------
  65. 66_29_141_149 jio_cx 443 TLSv1.3 Client Hello (SNI=jio_cx)
  66. 192_3_64_157 192_3_64_157 80 HTTP GET /141/ie/weare___alldays.doc HTTP/1.1 Mozilla/4.0
  67. 192_3_64_157 192_3_64_157 80 HTTP HEAD /141/ie/weare___alldays.doc HTTP/1.1 Microsoft Office Existence Discovery
  68. 192_3_64_157 192_3_64_157 80 HTTP GET /141/shestudentgreatloverevergetme.tIF HTTP/1.1 Mozilla/4.0
  69. 177_106_217_75 servidorwindows _ddns _com _br 80 HTTP GET /Files/vbs.jpeg HTTP/1.1
  70. 192_3_64_157 192_3_64_157 80 HTTP GET /141/CAMM.txt HTTP/1.1
  71. 192_3_101_29 14645 TLSv1.3 Client Hello
  72.  
  73. comp
  74. --------------
  75. EXCEL.EXE 443 66_29_141_149
  76. EXCEL.EXE 443 172_64_149_23
  77. EXCEL.EXE 80 104_18_38_233
  78. EXCEL.EXE 80 192_3_64_157
  79. powershell.exe 80 177_106_217_75
  80. powershell.exe 80 192_3_64_157
  81. RegAsm.exe 14645 192_3_101_29
  82.  
  83. proc
  84. --------------
  85. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
  86. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
  87. C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
  88. C:\Windows\System32\WScript.exe" "C:\Users\User01\AppData\Roaming\shestudentgreatloverevergetme.vBS
  89. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J➹ ῎ ⺝ | ∡Bs➹ ῎ ⺝ | ∡Gk➹
  90. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ...
  91. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  92. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\dwjdeyvbtmmjfv
  93. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\frpvwqgvhuevhbggb
  94. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\frpvwqgvhuevhbggb
  95. C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\User01\AppData\Local\Temp\qtuoxjrwvcwarhuktqdh
  96.  
  97. persist
  98. --------------
  99. n/a
  100.  
  101. drop
  102. --------------
  103. C:\Users\User01\AppData\Roaming\shestudentgreatloverevergetme.vBS
  104.  
  105.  
  106. # # # # # # # #
  107. additional info
  108. # # # # # # # #
  109. n/a
  110.  
  111. # # # # # # # #
  112. VT & Intezer
  113. # # # # # # # #
  114. https://www.virustotal.com/gui/file/07ff6518739dbf4f160dfe9a208aa122953ad0c5d0a10d3b05dba1b79e2ac271/details
  115. https://www.virustotal.com/gui/file/84f9bf00cac9b861c3088374d9031eba43506392ec66aa2ebaa9f2b1f7ad3705/details
  116. https://www.virustotal.com/gui/file/1ffaf58260c6eb0fb2d33091a9aa48a48ea3d54e3b201b129c7b252d79e83333/details
  117. https://www.virustotal.com/gui/file/ebe7c0a067c87ada62581531981365304364f4675be7cde328201395e942af9c/details
  118. https://www.virustotal.com/gui/file/226c1a354cd215bd32f5f74145a2441403c71c5904150d04d0d5709030d6ee14/details
  119.  
  120. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!