2020-08-26 Remcos IOCs

1. THREAT ATTRIBUTION: REMCOS
2.  
3. SUBJECTS OBSERVED
4. Payment Advice Notification
5.  
6. SENDERS OBSERVED
7. JPM Chase Payment Notification <[email protected]>
8.  
9. MALDOC FILE HASHES
10. ACH Payment.xlsm
11. 40e73282c0207d2975fa3acaf2989cd2
12.  
13. Protected Client.vbs
14. 2ffe7c088d780874fef08e0a10783c26
15.  
16. Attack.jpg
17. 904606da0668534602d198c51cc4103c
18.  
19. MALDOC DOWNLOAD URLs
20. http://oficina24.online/kingman/Protected Client.vbs
21.  
22. PAYLOAD URL
23. https://oficina24.online/king/hlobnm/good/youuryt/yuotoob/doogrty/ruoytr/root/okaytogo/Attack.jpg
24.  
25. REMCOS C2
26. srvr2.callofdutyserver.pw
27.  
28. EMAIL BODY
29. JPMorgan Chase
30.  
31. This is a secure, encrypted message.
32.  
33. Desktop Users:
34. Open the attachment (Payment Advice.xlsm) and follow the instructions.
35.  
36. Mobile Users:
37. Open the attachment (Payment Advice.xlsm) on your PC and follow the instructions
38. Need Help?
39. Personal Security Image
40. Your personalized image for:
41. This personal security image will appear on secure email to you. If it's missing or unrecognized, please contact customer support. Learn more
42. Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
43. Email Security Powered by Voltage IBE(tm)
44. Copyright © 2015 JPMorgan Chase & Co. All rights reserved
45.