API tools faq
paste
ExecuteMalware

2020-07-08 Suspected Remcos IOCs

ExecuteMalware
Jul 9th, 2020
2,697
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.85 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: LIKELY REMCOS RAT
  2.  
  3. SUBJECTS OBSERVED
  4. Separate Remittance Advice for Vendor -- <<Company Name>> IT : Paper document number - 5011310
  5.  
  6. SENDERS OBSERVED
  7. citi_electronic_advice@epay[.]remit[.]citi[.]com
  8.  
  9. EMAIL BODY
  10. Payment Remittance Advice
  11.  
  12. July 08th, 2020
  13.  
  14. An electronic payment has been remitted to you. Please find attached for remittance and invoice details.
  15.  
  16. From Payer
  17. CITI Bank Electronic Payments
  18. Trading Partner
  19. To Payee
  20. <<Company Name>> IT
  21. 28263
  22.  
  23. Bank Name
  24. Citi Bank.. ...
  25.  
  26. Bank No.
  27. 053100300
  28.  
  29. Branch No.
  30. 053100300
  31.  
  32. Bank BIC Code
  33. XXXXXXXXXXX
  34.  
  35. Bank Account
  36. XXXXXXXXXXX
  37.  
  38. IBAN
  39.  
  40. Payment Reference Number
  41. 6011069076
  42. Paper Document Number
  43. 5011310
  44. Payment Date
  45. July 08th, 2020
  46. Payment Currency
  47. USD
  48. Payment Amount
  49. 23,502.50
  50.  
  51. Citi Bank Group made the following annotations
  52.  
  53. "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
  54.  
  55. MALDOC FILE HASHES
  56. Remittance Advice[.]docx
  57. 26645875939b9e212f1a0675f3eda288
  58.  
  59. PAYLOAD FILE HASHES
  60. remit[.]dotm
  61. d54c32177356475f7d8ca8f261d8045a
  62.  
  63. remit[.]jpg
  64. 873f0bae5bbdcdd69cd87a047d7fe0c4
  65.  
  66. remit[.]vbs
  67. 00902fabb52021a6a74263da9030580a
  68.  
  69. Attack[.]jpg
  70. 44893c5b3080bb0a1d520a514f578411
  71.  
  72. PAYLOAD URL
  73. hxxps://r0lls-r0yce[.]com/eft/remit[.]dotm?raw=true
  74. hxxp://185[.]172[.]110[.]217/robx/remit[.]jpg
  75. hxxp://185[.]172[.]110[.]217/robx/remit[.]vbs
  76. hxxp://185[.]172[.]110[.]217/robx/Attack[.]jpg
  77.  
  78. SUSPECTED REMCOS C2
  79. jimmy101[.]myq-see[.]com
  80. 185[.]140[.]53[.]8:2040
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!