2022-01-04-IOCs-from-Remcos-RAT-infection.txt

2022-01-04 (TUESDAY) - WELLS FARGO-THEMED MALSPAM LEADS TO REMCOS RAT

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1478744612516900868

CHAIN OF EVENTS:

- email --> attached Excel file --> enable macros --> OneDrive URL --> VBS file --> obfuscated script from two HTTP URLs ending in .jpg --> Remcos RAT C2 traffic

EMAIL INFO:

- Date: Tue, 4 Jan 2022 19:14 UTC
- Subject: Wellfargo Payment Remittance Notice-1/4/22
- Attachment: Payment Remittance Advice_000000202213.xlsb

ATTACHMENT INFO:

- SHA256 hash: b1df072eba923c472e461200b35823fde7f8e640bfb468ff5ac707369a2fa35e
- File size: 156,401 bytes
- File name: Payment Remittance Advice_000000202213.xlsb
- File description: Attachment to email: Excel file with macro code for Remcos RAT

URL GENERATED BY MACRO:

- hxxp://onedrive[.]live.com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU

VBS FILE RETURNED FROM ONEDRIVE URL:

- SHA256 hash: 95c0a9e6463a2eb1bbfe3198cd4b6cd74927a209ca4ab17501c2f444494f4499
- File size: 2,340 bytes
- File location: hxxps://onedrive.live[.]com/download?cid=64F8294A00286885&resid=64F8294A00286885%21770&authkey=ABI3zrc6BsVUKxU
- File location: C:\Users\[username]\AppData\Local\Temp\misc.vbs
- File location: C:\Users\[username]\AppData\Local\Microsoft\misc.vbs

TRAFFIC GENERATED BY DOWNLOADED VBS FILE:

- 64.188.19[.]241 port 80 - 64.188.19[.]241 - GET /atcn.jpg
- 104.223.119[.]167 port 80 - 104.223.119[.]167 - GET /calient.jpg
- 79.134.225[.]79 port 10174 - shiestynerd.dvrlists[.]com - encrypted SSL/TLS traffic

DLL FILE EXTRACTED FROM OBFUSCATED SCRIPT RETUNRED BY 104.223.119[.]167:

- SHA256 hash: 73ee036d191c9b2d717e94b2bae87622fce097a42d61594ee8cc1ab5b92749f1
- File size: 409,882 bytes
- File type: PE32 DLL, 32-bit Mono/.Net assembly