/
iocs.txt
60 lines (47 loc) · 1.61 KB
/
iocs.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
URLs:
hxxps[://]jantickee[.]com/wp-content/Stanles1[.]png
hxxps[://]jantickee[.]com/wp-content/Stanles2[.]png
hxxps[://]trivolibolit[.]com/wp-content/Hpzionse[.]png
hxxps[://]trivolibolit[.]com/wp-content/Hpzion[.]png
Remcos C2:
zarusouyt2994hesut01.duckdns[.]org
zarusouyt2994hesut02.duckdns[.]org
Payloads:
2023clearance.doc - 35b78f9b4f1122f4a347c1ce37367278
BurkeDocuments.pdf.lnk - 6213ff411cd8625c632de49cd6fe46c6
Startvrdier.Fre - 7b17e9015f04a2041d612662ee9f9399
Hpzionse[.]png - a5e106a1b7d3e24fa6361ac2f73333ee
Hpzion[.]png - bd28afeb1bd6b819b0b6f96cb1ff87b6
Email Sender Domains:
intuitfrauddept[.]com
goatratedman[.]com
intermountaiinhealthcare[.]org
stsebss[.]org
Remcos Configuration:
"Host:Port:Password": "zarusouyt2994hesut01.duckdns[.]org:1298:0zarusouyt2994hesut01.duckdns[.]org:1299:1zarusouyt2994hesut02.duckdns[.]org:1298:0",
"Assigned name": "Tasty",
"Connect interval": "1",
"Install flag": "Disable",
"Setup HKCU\\Run": "Enable",
"Setup HKLM\\Run": "Enable",
"Install path": "Application path",
"Copy file": "remcos.exe",
"Startup value": "Enable",
"Hide file": "Disable",
"Mutex": "kmcot-GBXZUN",
"Keylog flag": "1",
"Keylog path": "AppData",
"Keylog file": "kajorc.dat",
"Keylog crypt": "Disable",
"Hide keylog file": "Enable",
"Screenshot flag": "Disable",
"Screenshot time": "10",
"Take Screenshot option": "Disable",
"Take screenshot title": "",
"Take screenshot time": "5",
"Screenshot path": "AppData",
"Screenshot file": "Screenshots",
"Screenshot crypt": "Disable",
"Mouse option": "Disable",
"Delete file": "Disable",
"Audio record time": "5"