The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs
Tags
maec-delivery-vectors: Watering Hole
attack-pattern: Data Botnet - T1583.005 Botnet - T1584.005 Clipboard Data - T1414 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Clipboard Data - T1115 Connection Proxy - T1090 Powershell - T1086 Process Hollowing - T1093 Screen Capture - T1113 Scripting - T1064 Screen Capture Scripting
Show in Graph
Common Information
Type Value
UUID c4349e71-5ec4-4897-984b-b642cf3e65f2
Fingerprint c0e89d2ceaba95e
Analysis status DONE
Considered CTI value 2
Text language
Published April 6, 2022, midnight
Added to db Sept. 11, 2022, 12:40 p.m.
Last updated Nov. 18, 2024, 1:38 a.m.
Headline The Latest Remcos RAT Driven By Phishing Campaign
Title The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs
Detected Hints/Tags/Attributes 79/2/36
Source URLs
Redirection Url
Details Source https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing
URL Provider
Details Provider Source level domain
Details fortinet.com www.fortinet.com
Attributes
Details Type #Events CTI Value
Details Domain 2 
toooyou.black
Details Domain 285 
microsoft.net
Details Domain 3 
shiestynerd.dvrlists.com
Details Domain 1 
mimi44.ddns.net
Details Domain 1 
harveyautos110.ddns.net
Details Domain 1 
harveyautos111.hopto.org
Details Domain 1 
harveyautos112.ddns.net
Details Domain 1 
harvey205.camdvr.org
Details Domain 1 
harvey206.casacam.net
Details Domain 1 
harvey207.accesscam.org
Details Domain 1 
achimumuazi.hopto.org
Details Domain 1 
xhangzhi.duckdns.org
Details File 1 
%appdata%\hobyq.vbs
Details File 1 
hobyq.vbs
Details File 1 
flip.vbs
Details File 3 
mem.txt
Details File 1 
faze.jpg
Details File 103 
regasm.exe
Details File 1 
gc.dll
Details File 2 
lime.dll
Details File 13 
logs.dat
Details File 13 
log.dat
Details File 2127 
cmd.exe
Details sha256 1 
fbb0575dfd7c1cfe48fb3aa895fbe6c8a554f06899a7152d04cfc39d1d4744ad
Details sha256 1 
8f6dd0db9e799393a61d6c9cf6495c164e1b13cb8e6b153b32359d5f07e793d2
Details sha256 1 
da609d3211d60d5b11feaeaa717834cbe86e18103a1ed4fc09c2ee3e1cff9442
Details sha256 1 
737e11913efb64accf1b88532c7ce8606676684d8364ddd027926f9ffc6ecffb
Details sha256 1 
b263876ebc01b310a8bfc58477523981184eb7e8f2dc955f0cf8e62124eb679a
Details sha256 1 
2c8b78fc6c4fe463dac9d39fde2871f1bb2605453bc0f2d57c7549cf5d07aa86
Details sha256 1 
a1a1395d0602a473fcc81ba7d1d90c3fb154321d1721e0069722b902b1057cb0
Details sha256 1 
6b816d84accc3e1ebce3ef55b64b0c5e0485228790df903e68466690e58b5009
Details IPv4 2 
209.127.19.101
Details IPv4 1 
23.226.128.197
Details Url 1 
http://209.127.19.101/flip.vbs
Details Url 1 
http://209.127.19.101/mem.txt
Details Url 1 
http://209.127.19.101/faze.jpg