2020-10-21 Remcos RAT IOCs

1.  
2. THREAT ATTRIBUTION: REMCOS RAT
3.  
4. SUBJECTS OBSERVED
5. JPMorgan Chase Payment Report - 00010202020
6. JPMorgan Chase Payment Report - 00010212020
7.  
8. SENDERS OBSERVED
9. no_reply_alert@message-jpmchase[.]com
10. no_reply_report@message-jpmchase[.]com
11.  
12. EMAIL BODY
13. JPMorgan Chase
14.  
15. This is a secure, encrypted message.
16.  
17. Desktop Users:
18. Open the attachment (Payment Advice[.]xls) and follow the instructions.
19.  
20. Mobile Users:
21. Open the attachment (Payment Advice[.]xls) on your PC and follow the instructions
22. Need Help?
23.  
24. Personal Security Image
25. Your personalized image for: emailname@domain[.]com
26. This personal security image will appear on secure email to you. If it's missing or unrecognized, please contact customer support. Learn more
27. Disclaimer: This email and any attachments are confidential and for the sole use of the recipients. If you have received this email in error please notify the sender.
28.  
29. Email Security Powered by Voltage IBE(tm)
30. Copyright © 2015 JPMorgan Chase & Co. All rights reserved
31.  
32. MALDOC FILE HASHES
33. Payment Advice[.]xls
34. 2e114b34a6062b0771d1cb73fec4273b
35.  
36. message[.]vbs
37. 06466e239d3389ff30cfeddb71624bed
38.  
39. PAYLOAD FILE HASHES
40. hades[.]jpg
41. 9347e2e42a25c4354d28d9da4b6adc49
42.  
43. MALDOC DOWNLOAD URLS
44. hxxp://185[.]172[.]110[.]201/dkhh/message[.]vbs
45.  
46. PAYLOAD URL
47. hxxp://185[.]172[.]110[.]201/dkhh/hades[.]jpg
48.  
49. REMCOS C2
50. jollymorgan[.]myq-see[.]com
51. 185[.]244[.]30[.]225
52.  
53. SUPPORTING EVIDENCE
54. https://urlhaus.abuse.ch/browse.php?search=http%3A%2F%2F185.172.110.201%2Fdkhh%2Fhades.jpg
55. https://app.any.run/tasks/eb86765d-b1c4-4c34-bc0a-f61a21be8008/
56.