ioc[.]one - OSINT Cyber Threat Intelligence Database

Distribution of Remcos RAT Disguised as Tax Invoice - ASEC BLOG

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Hidden Window - T1564.003 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Hidden Window - T1143 Powershell - T1086

Show in Graph

Common Information

Type	Value
UUID	173b399a-5518-48cc-ac0d-8ea94b785867
Fingerprint	bcce991d2be596cd
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 7, 2022, 9:16 a.m.
Added to db	Sept. 11, 2022, 4:59 p.m.
Last updated	Nov. 18, 2024, 1:24 p.m.
Headline	Distribution of Remcos RAT Disguised as Tax Invoice
Title	Distribution of Remcos RAT Disguised as Tax Invoice - ASEC BLOG
Detected Hints/Tags/Attributes	42/2/25

Source URLs

	Redirection	Url
Details	Source	https://asec.ahnlab.com/en/32376/

URL Provider

Details	Provider	Source level domain
Details	ahnlab.com	asec.ahnlab.com

Attributes

Details	Type	#Events	Value
Details	Domain	2	tax.com
Details	Domain	2	zhost.polycomusa.com
Details	Domain	2	giraffebear.polycomusa.com
Details	File	2	tax.gz
Details	File	2	chrimaz.exe
Details	File	2	3xp1r3exp.ps1
Details	File	89	version.dll
Details	File	20	sysprep.exe
Details	File	9	cliconfg.exe
Details	File	4	appinfo.dll
Details	File	18	winsat.exe
Details	File	2	c:\programdata\chrimaz\chrimaz.exe
Details	File	1212	powershell.exe
Details	File	20	win.msi
Details	File	2	bitmin.c4
Details	File	2	uacbypass.c4
Details	md5	2	1df2bf9313decafd0249d6a4556010bc
Details	md5	2	98cf9ab79e33c04a4934628f6aa3161d
Details	md5	2	9cdcaa1c51bfa4ce6d6abb9376ba26a8
Details	md5	2	a0f177bfd53ee82d20233bd362fdf024
Details	md5	2	150744df32e4a57bb169f91cba45697c
Details	md5	2	824a79fc5bebeb7b508247619eca82cd
Details	Url	2	http://zhost.polycomusa.com/chrimaz.exe
Details	Url	2	http://zhost.polycomusa.com
Details	Url	2	http://giraffebear.polycomusa.com