#remcos_060223

1. #IOC #OptiData #VR #remcos #rat
2.  
3. https://pastebin.com/kjv5E8Au
4.  
5. previous_contact:
6. 12/07/21 https://pastebin.com/ZYZarB9L
7. 15/07/19 https://pastebin.com/ZxG6eRWM
8.  
9. FAQ:
10. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
11. https://urlhaus.abuse.ch/browse/tag/remcos
12.  
13. attack_vector
14. --------------
15. email > attach1 .rar > attach2 .rar (pwd) > exe1 > %temp%\2.exe > %userprofile%\sql\sql.exe > C2
16.  
17.  
18. # # # # # # # #
19. email_headers
20. # # # # # # # #
21. Return-Path: <info@telecomds.online>
22. Received: from telecomds.online (telecomds.online [80.78.254.28])
23. From: Глушко Іван Кирилович <info@telecomds.online>
24. Subject: Судова претензія за Вашим особовим рахунком # 368970468258859253 от: 06.02.2023
25. Date: Sun, 5 Feb 2023 13:35:48 -0800
26. Message-Id: <E1pOmfs-000Pdp-6C@mail.telecomds.online>
27.  
28.  
29. # # # # # # # #
30. files
31. # # # # # # # #
32.  
33. SHA-256 f1103f0e35b7b47f020f951f07a87c74275aacec6a2610690a0f80e34e8eae73
34. File name судовий лист, інформація щодо заборгування.rar [ RAR compressed archive (v5.0) ]
35. File size 534.64 KB (547476 bytes)
36.  
37. SHA-256 5047f53e2e496b38b1a11bc856c79d6602fb28f7a0b16a4c4082845dee225677
38. File name судовий лист, інформація щодо заборгування. pdf.rar [ RAR compressed archive (v5.0) password protected]
39. File size 533.76 KB (546574 bytes)
40.  
41. SHA-256 644f8bf83d861db06b736b1d5e541e35d3eae75a74d6f2561fa26a9a271a2c2b
42. File name судовий лист, інформація щодо заборгування.pdf.exe
43. File size 656 MB
44.  
45. SHA-256 ca408a4f313a8dc8afe42b490e74b345d758bc319c0b5b251f03fed84e8deb0e
46. File name 2.exe (sql.exe) [ PE32 executable for MS Windows (GUI) ]
47. File size 476.00 KB (487424 bytes)
48.  
49.  
50. # # # # # # # #
51. activity
52. # # # # # # # #
53.  
54. PL_SCR email_attach
55.  
56.  
57. C2 94.131.99.89:5222
58. 94.131.99.56:5222
59. 94.131.99.156:5222
60. 101.99.91.158:5222
61. 124.88.67.67:5222
62. 178.23.190.252:8080
63. 178.23.190.253:8080
64. 178.23.190.254:8080
65. 178.23.190.54:8080
66.  
67.  
68. netwrk
69. --------------
70. 101.99.91.158 5222 TCP 49577 → 5222 [SYN]
71. 124.88.67.67 5222 TCP 49579 → 5222 [SYN]
72. 178.23.190.252 8080 TCP 49585 → 8080 [SYN]
73. 178.23.190.253 8080 TCP 49586 → 8080 [SYN]
74. 178.23.190.254 8080 TCP 49587 → 8080 [SYN]
75. 178.23.190.54 8080 TCP 49600 → 8080 [SYN]
76. 94.131.99.156 5222 TCP 49606 → 5222 [SYN]
77. 94.131.99.56 5222 TCP 49584 → 5222 [SYN]
78. 94.131.99.89 5222 TCP 49583 → 5222 [SYN]
79.  
80.  
81. comp
82. --------------
83. sql.exe 3820 101.99.91.158 5222 ESTABLISHED
84. sql.exe 3820 94.131.99.153 8080 ESTABLISHED
85. sql.exe 3820 94.131.99.156 5222 ESTABLISHED
86. sql.exe 3820 178.23.190.252 8080 ESTABLISHED
87. sql.exe 3820 178.23.190.253 8080 ESTABLISHED
88. sql.exe 3820 124.88.67.67 5222 ESTABLISHED
89. sql.exe 3820 124.88.67.98 5222 ESTABLISHED
90. sql.exe 3820 178.23.190.254 8080 ESTABLISHED
91.  
92.  
93. proc
94. --------------
95. C:\Users\operator\Desktop\судовий лист, інформація щодо заборгування.pdf.exe
96. C:\tmp\2.exe
97. C:\Users\operator\sql\sql.exe
98.  
99.  
100. persist
101. --------------
102. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06.02.2023 15:03
103. skype_upd c:\users\operator\sql\sql.exe 25.01.2023 13:44
104.  
105.  
106. drop
107. --------------
108. %temp%\2.exe
109. %userprofile%\sql\sql.exe
110.  
111. # # # # # # # #
112. VT & Intezer
113. # # # # # # # #
114. https://www.virustotal.com/gui/file/f1103f0e35b7b47f020f951f07a87c74275aacec6a2610690a0f80e34e8eae73/details
115. https://www.virustotal.com/gui/file/5047f53e2e496b38b1a11bc856c79d6602fb28f7a0b16a4c4082845dee225677/details
116. https://www.virustotal.com/gui/file/ca408a4f313a8dc8afe42b490e74b345d758bc319c0b5b251f03fed84e8deb0e/details
117. https://analyze.intezer.com/analyses/da288060-eb42-4882-9ac7-291a299bb338
118.  
119. VR