Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #RemcosRAT #RAR #EXE #HeavensGate
- https://pastebin.com/ZxG6eRWM
- previous_contact: n/a
- FAQ:
- https://secrary.com/ReversingMalware/RemcosRAT/
- http://www.alex-ionescu.com/?p=300
- https://www.bleepingcomputer.com/news/security/malware-loader-goes-through-heavens-gate-to-avoid-detection/
- https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/
- attack_vector
- --------------
- email attach .RAR > exe > C2 :6868
- email_headers
- --------------
- Received: from rakenergyservices.com (unknown [23.106.125.215])
- From: sales@rakenergyservices.com
- To: user00@victim02
- Subject: July Purchase Order
- Date: 15 Jul 2019 00:40:30 -0700
- files
- --------------
- SHA-256 cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6
- File name July Purchase Order (SV)LTD.rar [RAR archive data, vd2,]
- File size 256 KB (262140 bytes)
- SHA-256 c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726
- File name July Purchase Order (SV)LTD.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 560 KB (573440 bytes)
- activity
- **************
- PL_SCR email_attach
- C2 185.247.228.199:6868
- > Harvests information related to installed instant messenger clients
- file: C:\Users\oper\AppData\Roaming\Digsby\digsby.dat
- file: C:\Users\oper\AppData\Roaming\MySpace\IM\users.txt
- key: HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
- key: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
- key: HKEY_CURRENT_USER\Software\Paltalk
- > Harvests information related to installed mail clients
- file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.oeaccount
- file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.*
- key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- netwrk
- --------------
- 185.247.228.199 49222 → 6868 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
- comp
- --------------
- July Purchase Order (SV)LTD.exe 256 TCP localhost 49222 185.247.228.199 6868 ESTABLISHED
- [System] 0 TCP localhost 49224 185.247.228.199 6868 TIME_WAIT
- [System] 0 TCP localhost 49225 185.247.228.199 6868 TIME_WAIT
- [System] 0 TCP localhost 49226 185.247.228.199 6868 TIME_WAIT
- July Purchase Order (SV)LTD.exe 256 TCP localhost 49222 185.247.228.199 6868 ESTABLISHED
- proc
- --------------
- C:\Users\oper\Desktop\July Purchase Order (SV)LTD.exe
- persist
- --------------
- n/a
- drop
- --------------
- %tmp%\orlcwccojbpotkozlbxyhmaqmgxwucnpmd
- # # #
- https://www.virustotal.com/gui/file/cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6/details
- https://www.virustotal.com/gui/file/c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726/details
- https://analyze.intezer.com/#/analyses/c41a7517-4986-44be-921b-c4b26718c01c
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement