API tools faq
paste
Advertisement
VRad

#RemcosRat_150719

VRad
Jul 15th, 2019
622
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.83 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #RemcosRAT #RAR #EXE #HeavensGate
  2.  
  3. https://pastebin.com/ZxG6eRWM
  4.  
  5. previous_contact: n/a
  6.  
  7. FAQ:
  8. https://secrary.com/ReversingMalware/RemcosRAT/
  9. http://www.alex-ionescu.com/?p=300
  10. https://www.bleepingcomputer.com/news/security/malware-loader-goes-through-heavens-gate-to-avoid-detection/
  11. https://www.zdnet.com/article/malware-authors-are-still-abusing-the-heavens-gate-technique/
  12.  
  13. attack_vector
  14. --------------
  15. email attach .RAR > exe > C2 :6868
  16.  
  17. email_headers
  18. --------------
  19. Received: from rakenergyservices.com (unknown [23.106.125.215])
  20. From: sales@rakenergyservices.com
  21. To: user00@victim02
  22. Subject: July Purchase Order
  23. Date: 15 Jul 2019 00:40:30 -0700
  24.  
  25. files
  26. --------------
  27. SHA-256 cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6
  28. File name July Purchase Order (SV)LTD.rar [RAR archive data, vd2,]
  29. File size 256 KB (262140 bytes)
  30.  
  31. SHA-256 c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726
  32. File name July Purchase Order (SV)LTD.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
  33. File size 560 KB (573440 bytes)
  34.  
  35. activity
  36. **************
  37. PL_SCR email_attach
  38.  
  39. C2 185.247.228.199:6868
  40.  
  41. > Harvests information related to installed instant messenger clients
  42. file: C:\Users\oper\AppData\Roaming\Digsby\digsby.dat
  43. file: C:\Users\oper\AppData\Roaming\MySpace\IM\users.txt
  44. key: HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
  45. key: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
  46. key: HKEY_CURRENT_USER\Software\Paltalk
  47.  
  48. > Harvests information related to installed mail clients
  49. file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.oeaccount
  50. file: C:\Users\oper\AppData\Local\Microsoft\Windows Live Mail\*.*
  51. key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
  52.  
  53. netwrk
  54. --------------
  55. 185.247.228.199 49222 → 6868 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  56.  
  57. comp
  58. --------------
  59. July Purchase Order (SV)LTD.exe 256 TCP localhost 49222 185.247.228.199 6868 ESTABLISHED
  60.  
  61. [System] 0 TCP localhost 49224 185.247.228.199 6868 TIME_WAIT
  62. [System] 0 TCP localhost 49225 185.247.228.199 6868 TIME_WAIT
  63. [System] 0 TCP localhost 49226 185.247.228.199 6868 TIME_WAIT
  64.  
  65. July Purchase Order (SV)LTD.exe 256 TCP localhost 49222 185.247.228.199 6868 ESTABLISHED
  66.  
  67. proc
  68. --------------
  69. C:\Users\oper\Desktop\July Purchase Order (SV)LTD.exe
  70.  
  71. persist
  72. --------------
  73. n/a
  74.  
  75. drop
  76. --------------
  77. %tmp%\orlcwccojbpotkozlbxyhmaqmgxwucnpmd
  78.  
  79. # # #
  80. https://www.virustotal.com/gui/file/cb3fc5fba40f84ebf4fc17d6932e70b30161e2802fa5b41c64a92f0e7604bad6/details
  81. https://www.virustotal.com/gui/file/c256f2d92af19c4b59e2ad26ad449d87c5296c23d40b82568ad9b12add261726/details
  82. https://analyze.intezer.com/#/analyses/c41a7517-4986-44be-921b-c4b26718c01c
  83.  
  84. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!