API tools faq
paste
Advertisement
VRad

#remcos_301123

VRad
Nov 30th, 2023 (edited)
770
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.49 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #SMB #RAT #mic #keylog #scr
  2.  
  3. https://pastebin.com/aG6XyqHN
  4.  
  5. previous_contact:
  6. 13/11/23 https://pastebin.com/tbRpiGG5
  7. 06/02/23 https://pastebin.com/kjv5E8Au
  8. 12/07/21 https://pastebin.com/ZYZarB9L
  9. 15/07/19 https://pastebin.com/ZxG6eRWM
  10.  
  11. FAQ:
  12. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  13.  
  14.  
  15. attack_vector
  16. --------------
  17. email > att1 .RAR > att2 .RAR (pwd) > .doc (vba) > SMB \\89_23_98_22\LN\scandoc.exe > ProgramData\Davinci\8161.exe > C2
  18.  
  19.  
  20. # # # # # # # #
  21. email_headers
  22. # # # # # # # #
  23. Subject: Повістка в суд-вихідний : 655559638577 від 30.11.2023
  24. Received: from mailgw1.court.gov.ua ([212.90.190.159])
  25. Message-Id: <202311300304.3AU34DRl015266-3AU34DRm015266@mailgw1.court.gov.ua>
  26. From: Господарський суд Одеської області <zal15@od.arbitr.gov.ua>
  27. Reply-To: <inbox@adm.od.court.gov.ua>
  28. Date: Thu, 30 Nov 2023 06:04:09 +0300
  29.  
  30. # # # # # # # #
  31. files
  32. # # # # # # # #
  33.  
  34. SHA-256 26b4ccad487e76f40a5806c638589d3b2fb29bd799accc1cfaa6739e7ec437df
  35. File name Господарський суд Одеської області Повістка до суду.rar [ RAR archive data, v5 ]
  36. File size 508.61 KB (520819 bytes)
  37.  
  38. SHA-256 aa6de205e6d84c8333fd503c06fc27f55d67d04221a87481793b41070d76268f
  39. File name Повістка до суду.rar [ RAR archive data, v5 ] PWD!
  40. File size 507.75 KB (519934 bytes)
  41.  
  42. SHA-256 a7aca87179f51e229aa9a2f13bb8ab76750c8092579cc7b4d0cbc40235cdde27
  43. File name Повістка до суду.doc [ Microsoft Word document ]
  44. File size 675.00 KB (691200 bytes)
  45.  
  46. SHA-256 ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814
  47. File name scandoc.exe (8161.exe) [ .NET executable ]
  48. File size 11.87 MB (12443648 bytes)
  49.  
  50. # # # # # # # #
  51. activity
  52. # # # # # # # #
  53.  
  54. PL_SCR \\89_23_98_22 \ scandoc.exe
  55.  
  56.  
  57. C2 95_214_26_199 :} 80
  58. 95_214_26_199 :} 465
  59.  
  60.  
  61. netwrk
  62. --------------
  63. 178.237.33.50 geoplugin.net 80 HTTP GET /json.gp HTTP/1.1
  64. 89_23_98_22 445 SMB2 Tree Connect Request Tree: \\89_23_98_22\IPC$
  65. 89_23_98_22 445 SMB2 Create Request File: scandoc.exe
  66. 95_214_26_199 80 TCP 61412 → 80 [ACK] Seq=670 Ack=98572 Win=262400 Len=0
  67.  
  68. comp
  69. --------------
  70. System TCP 89_23_98_22 445 ESTABLISHED
  71. 8161.exe TCP 95_214_26_199 80 ESTABLISHED
  72.  
  73. proc
  74. --------------
  75. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  76. C:\Windows\SysWOW64\explorer.exe "\\89_23_98_22\LN \"
  77. \??\UNC\89_23_98_22\LN\scandoc.exe
  78. C:\ProgramData\Davinci\8161.exe
  79.  
  80. persist
  81. --------------
  82. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 30.11.2023 15:16
  83. Dv8161-E2WPIJ 7-Zip Installer Igor Pavlov c:\programdata\davinci\8161.exe 29.11.2023 14:48
  84.  
  85. drop
  86. --------------
  87. c:\programdata\davinci\8161.exe
  88.  
  89. # # # # # # # #
  90. additional info
  91. # # # # # # # #
  92. malware_config
  93. {
  94. "Version": "4.9.3 Pro",
  95. "Host:Port:Password": "95_214_26_199 :} 80",
  96. "Assigned name": "RMC",
  97. "Connect interval": "1",
  98. "Install flag": "Enable",
  99. "Setup HKCU\\Run": "Enable",
  100. "Setup HKLM\\Run": "Enable",
  101. "Install path": "Application path",
  102. "Copy file": "8161.exe",
  103. "Startup value": "Disable",
  104. "Hide file": "Disable",
  105. "Mutex": "Dv8161-E2WPIJ",
  106. "Keylog flag": "0",
  107. "Keylog path": "Application path",
  108. "Keylog file": "logs.dat",
  109. "Keylog crypt": "Disable",
  110. "Hide keylog file": "Disable",
  111. "Screenshot flag": "Disable",
  112. "Screenshot time": "10",
  113. "Take Screenshot option": "Disable",
  114. "Take screenshot title": "",
  115. "Take screenshot time": "5",
  116. "Screenshot path": "AppData",
  117. "Screenshot file": "Screenshots",
  118. "Screenshot crypt": "Disable",
  119. "Mouse option": "Disable",
  120. "Delete file": "Disable",
  121. "Audio record time": "5"
  122. }
  123.  
  124. # # # # # # # #
  125. VT & Intezer
  126. # # # # # # # #
  127. https://www.virustotal.com/gui/file/26b4ccad487e76f40a5806c638589d3b2fb29bd799accc1cfaa6739e7ec437df/details
  128. https://www.virustotal.com/gui/file/aa6de205e6d84c8333fd503c06fc27f55d67d04221a87481793b41070d76268f/details
  129. https://www.virustotal.com/gui/file/a7aca87179f51e229aa9a2f13bb8ab76750c8092579cc7b4d0cbc40235cdde27/details
  130. https://www.virustotal.com/gui/file/ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814/details
  131. https://analyze.intezer.com/analyses/f943ad68-84f5-4373-9c72-1d5ed9cfe56a
  132.  
  133. VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!