API tools faq
paste
VRad

#remcos_220824

VRad
Aug 23rd, 2024 (edited)
114
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.80 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #PowerShell #Msbuild
  2.  
  3. https://pastebin.com/VmpVnz6b
  4.  
  5. previous_contact:
  6. 16/08/24 https://pastebin.com/AkHsxz6R
  7. 13/08/24 https://pastebin.com/VDVp6hSi
  8. 19/01/24 https://pastebin.com/EvXHfZUB
  9. 18/01/24 https://pastebin.com/FL2fX362
  10. 25/12/23 https://pastebin.com/D535PVm3
  11. 21/12/23 https://pastebin.com/samYnJq6
  12. 30/11/23 https://pastebin.com/aG6XyqHN
  13. 13/11/23 https://pastebin.com/tbRpiGG5
  14. 06/02/23 https://pastebin.com/kjv5E8Au
  15.  
  16. FAQ:
  17. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  18.  
  19. attack_vector
  20. --------------
  21. email URL > GDrive > .pdf.url > \\185 _217 _197 _84 @80\file\remittances.exe > wscript > powershell > get bitbucket .jpg & .txt > Msbuild.exe > C2
  22.  
  23.  
  24. # # # # # # # #
  25. email_headers
  26. # # # # # # # #
  27. Date: Thu, 22 Aug 2024 13:07:23 +0300
  28. From: Агафонов Игорь Федорович <budi.m @tstech _co _id>
  29. Subject: Документи (Платіжне доручення)
  30. Reply-To: "hamed @iecinspection _com" <hamed @iecinspection _com>
  31. Received: from svr _tstech _co _id ([116 _204 _249 _248])
  32. Received: from [193 _33 _153 _83]
  33.  
  34. # # # # # # # #
  35. files
  36. # # # # # # # #
  37. SHA-256 2c03058661577a580eaeced9e06f918223cdecae84b91ac44a6a2755de4aff3f
  38. File name scan_doc_9038376738.pdf.url
  39. File size 69 B (69 bytes)
  40.  
  41. SHA-256 3e243672f6c94dd0edc7e41d6ab0920b1cd174fe102c71ae73d013c552edd6e4
  42. File name new_image.jpg
  43. File size 4.71 MB (4942734 bytes)
  44.  
  45. SHA-256 8770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5
  46. File name gb20.txt
  47. File size 683.94 KB (700352 bytes)
  48.  
  49. SHA-256 44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82
  50. File name System.dll
  51. File size 11.00 KB (11264 bytes)
  52.  
  53. SHA-256 910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d
  54. File name word.exe
  55. File size 704.23 KB (721136 bytes)
  56.  
  57. # # # # # # # #
  58. activity
  59. # # # # # # # #
  60.  
  61. PL_SCR drive _google _com/file/d/1EipxNQZfEMcr0D0v3bg9VHhhuBQfRKvK [decoy]
  62. \\185 _217 _197 _84 @80\file\remittances.exe [dropper]
  63. bitbucket _org/hgdfhdfgd/test/downloads/new_image.jpg?11811735 [loader]
  64. bitbucket _org/hgdfhdfgd/test/downloads/new_image.jpg?14441723 [loader]
  65. bitbucket _org/rulmerurk/ertertqw/downloads/gb20.txt [payload]
  66.  
  67. C2 111 _90 _148 _123
  68.  
  69.  
  70. netwrk
  71. --------------
  72. 185 _217 _197 _84 185 _217 _197 _84 80 HTTP PROPFIND /file/remittances.exe HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.22631
  73. 185 _217 _197 _84 185 _217 _197 _84 80 HTTP GET /file/remittances.exe HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.22631
  74. 185 _217 _197 _84 185 _217 _197 _84 80 HTTP PROPFIND /SystemResources/remittances.exe.mun HTTP/1.1 Microsoft-WebDAV-MiniRedir/10.0.22631
  75. 185 _166 _143 _49 443 TLSv1.2 Client Hello (SNI=bitbucket _org)
  76. 3 _5 _22 _187 443 TLSv1.2 Client Hello (SNI=bbuseruploads.s3.amazonaws.com)
  77. 111 _90 _148 _123 2404 TCP
  78. 178 _237 _33 _50 geoplugin _net 80 HTTP GET /json.gp HTTP/1.1
  79.  
  80. comp
  81. --------------
  82. svchost.exe 185 _217 _197 _84 80
  83. powershell.exe 185 _166 _143 _49 443
  84. powershell.exe 3 _5 _22 _187 443
  85. Msbuild.exe 111 _90 _148 _123 2404
  86. Msbuild.exe 178 _237 _33 _50 80
  87.  
  88. proc
  89. --------------
  90. UNC\185 _217 _197 _84 @80\file\remittances.exe
  91. C:\Windows\SYSTEM32\cmd.exe /c plk.vbs
  92. C:\Windows\System32\WScript.exe "C:\Windows\System32\WScript.exe" "C:\Users\User01\AppData\Local\Temp\IXP000.TMP\plk.vbs"
  93. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = ... base64
  94. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" get bitbucket _org/hgdfhdfgd/test/downloads/new_image.jpg?11811735 <<BASE64_START>> ...
  95. C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
  96. C:\Users\User01\AppData\Local\Temp\word.exe
  97.  
  98. persist
  99. --------------
  100. n/a
  101.  
  102. drop
  103. --------------
  104. %temp%\nsp****.tmp\System.dll
  105. %temp%\word.exe
  106. \ProgramData\remcos\logs.dat
  107.  
  108. # # # # # # # #
  109. additional info
  110. # # # # # # # #
  111. n/a
  112.  
  113.  
  114. # # # # # # # #
  115. VT & Intezer
  116. # # # # # # # #
  117. https://www.virustotal.com/gui/file/2c03058661577a580eaeced9e06f918223cdecae84b91ac44a6a2755de4aff3f/details
  118. https://www.virustotal.com/gui/file/3e243672f6c94dd0edc7e41d6ab0920b1cd174fe102c71ae73d013c552edd6e4/details
  119. https://www.virustotal.com/gui/file/8770b5a446779bb6dc8eef0e4e302a68b63e07c5e79430ab80cc42b21156ffa5/details
  120. https://www.virustotal.com/gui/file/44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82/details
  121. https://www.virustotal.com/gui/file/910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d/details
  122.  
  123. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!