Gerald Scotet 0 Posted December 19, 2023 Share Posted December 19, 2023 Good morning, we have been experiencing attacks for some time and ESET has deleted exe files referenced Win32/RiskWare.RemoteAdmin.RemoteExec.AC. This is a network share on NAS with access by Windows server and Linux machines. Attached is the report., in the link https://dcs.ipsonetwork.net/index.php/s/YdDm9fmPNADqnGT Could you please help us identify the culprit. Thank you very much in advance. Sorry for the translation, I'm French. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,085 Posted December 19, 2023 Administrators Share Posted December 19, 2023 Unfortunately it is not possible to tell what happened just based on the detection names. The best would be if our XDR solution ESET Inspect was installed prior to the detection which would help you with investigation of the infection vector. Link to comment Share on other sites More sharing options...
itman 1,667 Posted December 19, 2023 Share Posted December 19, 2023 Interesting VirusTotal analysis comment by Crowdsourced in regards to the .vbs script below; Link to comment Share on other sites More sharing options...
itman 1,667 Posted December 19, 2023 Share Posted December 19, 2023 5 hours ago, Gerald Scotet said: we have been experiencing attacks for some time and ESET has deleted exe files referenced Win32/RiskWare.RemoteAdmin.RemoteExec.AC. The Eset detection relates to the legitimate RemCom remote access tool which is often used maliciously. Additional references; https://support.alertlogic.com/hc/en-us/articles/360034494351-Windows-Server-RemCom-Tool-Remote-Shell https://github.com/kavika13/RemCom Link to comment Share on other sites More sharing options...
Gerald Scotet 0 Posted December 20, 2023 Author Share Posted December 20, 2023 Thank you for your answer. Link to comment Share on other sites More sharing options...
Recommended Posts