The script downloads an additional file from the C2 given as an argument and creates RegAsm.exe as a child process to execute it through the process hollowing technique. AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference: https://asec.ahnlab.com/en/65111/
Sample Indicators of Compromise:
107.175.31.187paste.eec7603f1da9d5ebb35076f285eb374ba66605b28a03ea7caa3a40451cbbc75034http://ur8ly.com/asy2xrhttps://paste.ee/dEh1G4