#remcos_131123

#IOC #OptiData #VR #remcos #rat #mic #keylog #scr

https://pastebin.com/tbRpiGG5

previous_contact:
06/02/23    https://pastebin.com/kjv5E8Au
12/07/21    https://pastebin.com/ZYZarB9L
15/07/19    https://pastebin.com/ZxG6eRWM

FAQ:
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos


attack_vector
--------------
email > att1 .RAR > att2 .RAR > att3 .RAR (pwd) > .EXE > \ProgramData\davinci\sql.exe > C2


# # # # # # # #
email_headers
# # # # # # # #
Return-Path: <info@davincigroup.online>
Received: from davincigroup.online (unknown [45.10.245.245])
From: Головне Оперативне Управління СБУ України <info@davincigroup.online>
Subject: запит ГОУ СБУ України № 90575 /СБ-23
Date: Sun, 12 Nov 2023 15:53:30 -0800
Message-Id: <E1r2KGg-000IpF-JZ@mail.davincigroup.online>

# # # # # # # #
files
# # # # # # # #

SHA-256		   4bd8ec1e82fdea9d8d24f1e7a133d409aa941e13fcc7b6ce1889bed3b7a0afbc
File name	   1_Електронна вимога СБУ України.rar      [ RAR archive data, v5 ]
File size	   944.55 KB (967216 bytes)

SHA-256		   2ce640749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2
File name	   2_Електронна вимога СБУ України.rar      [ RAR archive data, v5 ]
File size	   944.11 KB (966764 bytes)

SHA-256		   6a6f71cf5cfeb8698987aa3e826b19ef05be3f0112c46d79b366feb914340335
File name	   3_Вимога СБУ 543 від 13.11.2023.pdf.rar  [ RAR archive data, v5 ]    passwordprotected
File size      943.59 KB (966238 bytes)

SHA-256		   a4d5382438138f679073396bca73dc4f6bc39420966944f4fea8a9ab4087d004
File name	   4_Вимога СБУ 543 від 13.11.2023.pdf.exe  [ PE32 executable (GUI)]    Admin privileges UAC!
File size      996.00 KB (1019904 bytes)


# # # # # # # #
activity
# # # # # # # #

PL_SCR		    email_attach


C2              111.90.147.133:8080
                111.90.147.133:80


netwrk
--------------
111.90.147.133		8080	TCP	49817 → 8080 [SYN]
178.237.33.50	    geoplugin.net	80	HTTP	GET /json.gp HTTP/1.1

comp
--------------
sql.exe	3784	111.90.147.133	8080	ESTABLISHED
sql.exe	3784	111.90.147.133	8080	ESTABLISHED
sql.exe	3784	178.237.33.50	80	    CLOSE_WAIT
sql.exe	3784	111.90.147.133	8080	ESTABLISHED

proc
--------------
[user]
C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe

[admin]
    C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe
		C:\Users\operator\Desktop\4_Вимога СБУ 543 від 13.11.2023.pdf.exe yzn?+IOH1Wh$eN_kAK-3^M!(YD>iJxUT@jt*#&%EbfCdvrP9m0Q7FlgL)uaSwB=qZV52pX84ocRs
			C:\ProgramData\davinci\sql.exe
				C:\ProgramData\davinci\sql.exe yzn?+IOH1Wh$eN_kAK-3^M!(YD>iJxUT@jt*#&%EbfCdvrP9m0Q7FlgL)uaSwB=qZV52pX84ocRs
					C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\pwlelfknnexzjzwfrxydshge"
					C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\srzwlxvgbmpelfkjbhkwvuavbrd"
					C:\ProgramData\davinci\sql.exe /stext "C:\Users\support\AppData\Local\Temp\ctehmqgipuhrntynssxygyvecfmkge"

persist
--------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run				                        08.11.2023 14:01
hts-UVISQY	Java Platform SE binary	Oracle Corporation	c:\programdata\davinci\sql.exe	12.11.2023 18:15

drop
--------------
C:\ProgramData\davinci\sql.exe
C:\Users\support\AppData\Local\Temp\bhvD830.tmp
C:\Users\support\AppData\Local\Temp\pwlelfknnexzjzwfrxydshge
C:\Users\support\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0SLSNRRL\json[1].json

# # # # # # # #
VT & Intezer
# # # # # # # #
https://www.virustotal.com/gui/file/4bd8ec1e82fdea9d8d24f1e7a133d409aa941e13fcc7b6ce1889bed3b7a0afbc/details
https://www.virustotal.com/gui/file/2ce640749819e27d457827eede4d14abbf65981cd716ef25d9489b7eeba314d2/details
https://www.virustotal.com/gui/file/6a6f71cf5cfeb8698987aa3e826b19ef05be3f0112c46d79b366feb914340335/details
https://www.virustotal.com/gui/file/a4d5382438138f679073396bca73dc4f6bc39420966944f4fea8a9ab4087d004/details
https://analyze.intezer.com/analyses/072c005b-aa88-4b21-8a41-dca487703f97

VR