Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT ATTRIBUTION: LIKELY REMCOS RAT
- SUBJECTS OBSERVED
- Separate Remittance Advice for Vendor -- <<Company Name>> IT : Paper document number - 5011310
- SENDERS OBSERVED
- citi_electronic_advice@epay[.]remit[.]citi[.]com
- EMAIL BODY
- Payment Remittance Advice
- July 08th, 2020
- An electronic payment has been remitted to you. Please find attached for remittance and invoice details.
- From Payer
- CITI Bank Electronic Payments
- Trading Partner
- To Payee
- <<Company Name>> IT
- 28263
- Bank Name
- Citi Bank.. ...
- Bank No.
- 053100300
- Branch No.
- 053100300
- Bank BIC Code
- XXXXXXXXXXX
- Bank Account
- XXXXXXXXXXX
- IBAN
- Payment Reference Number
- 6011069076
- Paper Document Number
- 5011310
- Payment Date
- July 08th, 2020
- Payment Currency
- USD
- Payment Amount
- 23,502.50
- Citi Bank Group made the following annotations
- "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
- MALDOC FILE HASHES
- Remittance Advice[.]docx
- 26645875939b9e212f1a0675f3eda288
- PAYLOAD FILE HASHES
- remit[.]dotm
- d54c32177356475f7d8ca8f261d8045a
- remit[.]jpg
- 873f0bae5bbdcdd69cd87a047d7fe0c4
- remit[.]vbs
- 00902fabb52021a6a74263da9030580a
- Attack[.]jpg
- 44893c5b3080bb0a1d520a514f578411
- PAYLOAD URL
- hxxps://r0lls-r0yce[.]com/eft/remit[.]dotm?raw=true
- hxxp://185[.]172[.]110[.]217/robx/remit[.]jpg
- hxxp://185[.]172[.]110[.]217/robx/remit[.]vbs
- hxxp://185[.]172[.]110[.]217/robx/Attack[.]jpg
- SUSPECTED REMCOS C2
- jimmy101[.]myq-see[.]com
- 185[.]140[.]53[.]8:2040
Add Comment
Please, Sign In to add comment