Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #remcos #rat #mic #keylog #scr
- https://pastebin.com/tbRpiGG5
- previous_contact:
- 06/02/23 https://pastebin.com/kjv5E8Au
- 12/07/21 https://pastebin.com/ZYZarB9L
- 15/07/19 https://pastebin.com/ZxG6eRWM
- FAQ:
- https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
- attack_vector
- --------------
- email > att1 .RAR > att2 .RAR > att3 .RAR (pwd) > .EXE > \ProgramData\davinci\sql.exe > C2
- # # # # # # # #
- email_headers
- # # # # # # # #
- Return-Path: <info@davincigroup.online>
- Received: from davincigroup.online (unknown [45.10.245.245])
- From: Головне Оперативне Управління СБУ України <info@davincigroup.online>
- Subject: запит ГОУ СБУ України № 90575 /СБ-23
- Date: Sun, 12 Nov 2023 15:53:30 -0800
- Message-Id: <E1r2KGg-000IpF-JZ@mail.davincigroup.online>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 4bd8ec1e82fdea9d8d24f1e7a133d409aa941e13fcc7b6ce1889bed3b7a0afbc
- File name 1_Електронна вимога СБУ України.rar [ RAR archive data, v5 ]
- File size 944.55 KB (967216 bytes)
- SHA-256 2ce640749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2
- File name 2_Електронна вимога СБУ України.rar [ RAR archive data, v5 ]
- File size 944.11 KB (966764 bytes)
- SHA-256 6a6f71cf5cfeb8698987aa3e826b19ef05be3f0112c46d79b366feb914340335
- File name 3_Вимога СБУ 543 від 13.11.2023.pdf.rar [ RAR archive data, v5 ] passwordprotected
- File size 943.59 KB (966238 bytes)
- SHA-256 a4d5382438138f679073396bca73dc4f6bc39420966944f4fea8a9ab4087d004
- File name 4_Вимога СБУ 543 від 13.11.2023.pdf.exe [ PE32 executable (GUI)] Admin privileges UAC!
- File size 996.00 KB (1019904 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 111.90.147.133:8080
- 111.90.147.133:80
- netwrk
- --------------
- 111.90.147.133 8080 TCP 49817 → 8080 [SYN]
- 178.237.33.50 geoplugin.net 80 HTTP GET /json.gp HTTP/1.1
- comp
- --------------
- sql.exe 3784 111.90.147.133 8080 ESTABLISHED
- sql.exe 3784 111.90.147.133 8080 ESTABLISHED
- sql.exe 3784 178.237.33.50 80 CLOSE_WAIT
- sql.exe 3784 111.90.147.133 8080 ESTABLISHED
- proc
- --------------
- [user]
- C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe
- [admin]
- C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe
- C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe yzn?+IOH1Wh$eN_kAK-3^M!(YD>iJxUT@jt*#&%EbfCdvrP9m0Q7FlgL)uaSwB=qZV52pX84ocRs
- C:\ProgramData\davinci\sql.exe
- C:\ProgramData\davinci\sql.exe yzn?+IOH1Wh$eN_kAK-3^M!(YD>iJxUT@jt*#&%EbfCdvrP9m0Q7FlgL)uaSwB=qZV52pX84ocRs
- C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\pwlelfknnexzjzwfrxydshge"
- C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\srzwlxvgbmpelfkjbhkwvuavbrd"
- C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\ctehmqgipuhrntynssxygyvecfmkge"
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08.11.2023 14:01
- hts-UVISQY Java Platform SE binary Oracle Corporation c:\programdata\davinci\sql.exe 12.11.2023 18:15
- drop
- --------------
- C:\ProgramData\davinci\sql.exe
- C:\Users\support\AppData\Local\Temp\bhvD830.tmp
- C:\Users\support\AppData\Local\Temp\pwlelfknnexzjzwfrxydshge
- C:\Users\support\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0SLSNRRL\json[1].json
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/4bd8ec1e82fdea9d8d24f1e7a133d409aa941e13fcc7b6ce1889bed3b7a0afbc/details
- https://www.virustotal.com/gui/file/2ce640749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2/details
- https://www.virustotal.com/gui/file/6a6f71cf5cfeb8698987aa3e826b19ef05be3f0112c46d79b366feb914340335/details
- https://www.virustotal.com/gui/file/a4d5382438138f679073396bca73dc4f6bc39420966944f4fea8a9ab4087d004/details
- https://analyze.intezer.com/analyses/072c005b-aa88-4b21-8a41-dca487703f97
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement