SHARE
TWEET

#RemcosRat_150719

VRad Jul 15th, 2019 (edited) 203 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #RemcosRAT #RAR #EXE #HeavensGate
  2.  
  3. https://pastebin.com/ZxG6eRWM
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ:
  8. https://secrary.com/ReversingMalware/RemcosRAT/
  9. http://www.alex-ionescu.com/?p=300
  10. https://www.bleepingcomputer.com/news/security/malware-loader-goes-through-heavens-gate-to-avoid-detection/
  11. https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/
  12.  
  13. attack_vector
  14. --------------
  15. email attach .RAR > exe > C2 :6868
  16.  
  17. email_headers
  18. --------------
  19. Received: from rakenergyservices.com (unknown [23.106.125.215])
  20. From: sales@rakenergyservices.com
  21. To: user00@victim02
  22. Subject: July Purchase Order
  23. Date: 15 Jul 2019 00:40:30 -0700
  24.  
  25. files
  26. --------------
  27. SHA-256     cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6
  28. File name   July Purchase Order (SV)LTD.rar     [RAR archive data, vd2,]
  29. File size   256 KB (262140 bytes)
  30.  
  31. SHA-256     c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726
  32. File name   July Purchase Order (SV)LTD.exe     [PE32 executable (GUI) Intel 80386, for MS Windows]
  33. File size   560 KB (573440 bytes)
  34.  
  35. activity
  36. **************
  37. PL_SCR      email_attach   
  38.  
  39. C2      185.247.228.199:6868   
  40.  
  41. > Harvests information related to installed instant messenger clients
  42. file: C:\Users\oper\AppData\Roaming\Digsby\digsby.dat
  43. file: C:\Users\oper\AppData\Roaming\MySpace\IM\users.txt
  44. key: HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
  45. key: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
  46. key: HKEY_CURRENT_USER\Software\Paltalk
  47.  
  48. > Harvests information related to installed mail clients
  49. file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.oeaccount
  50. file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.*
  51. key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
  52.  
  53. netwrk
  54. --------------
  55. 185.247.228.199         49222 → 6868 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  56.  
  57. comp
  58. --------------
  59. July Purchase Order (SV)LTD.exe 256 TCP localhost   49222   185.247.228.199 6868    ESTABLISHED
  60.  
  61. [System]            0   TCP localhost   49224   185.247.228.199 6868    TIME_WAIT
  62. [System]            0   TCP localhost   49225   185.247.228.199 6868    TIME_WAIT
  63. [System]            0   TCP localhost   49226   185.247.228.199 6868    TIME_WAIT
  64.  
  65. July Purchase Order (SV)LTD.exe 256 TCP localhost   49222   185.247.228.199 6868    ESTABLISHED
  66.  
  67. proc
  68. --------------
  69. C:\Users\oper\Desktop\July Purchase Order (SV)LTD.exe
  70.  
  71. persist
  72. --------------
  73. n/a
  74.  
  75. drop
  76. --------------
  77. %tmp%\orlcwccojbpotkozlbxyhmaqmgxwucnpmd
  78.  
  79. # # #
  80. https://www.virustotal.com/gui/file/cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6/details
  81. https://www.virustotal.com/gui/file/c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726/details
  82. https://analyze.intezer.com/#/analyses/c41a7517-4986-44be-921b-c4b26718c01c
  83.  
  84. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top