Bokbot Malware IoCs 2019/10/29

#Bokbot
Notes:
I got a run of odd #bokbot loader sent via email as .doc but is actually .docx. They are still coming in now.
Loads the following goofy screen attached. Executes VBS embedded to call WSCRIPT and download from an open dir full of #trickbot and other garbage.
_____________________________
Email Template example:
Date: Tue, 29 Oct 2019 11:17:27 -0600
From: "=?utf-8?Q?Loan_Services?=" <ldb3@homesc.com>
Organization: dzldcilvcijcj
X-Priority: 3 (Normal)
Message-ID: <6650300744.20191029111727@homesc.com>
To: Victim@yourdomain.tld
Subject: =?utf-8?Q?You_have_received_message_about_your_unpaid_invoice?=
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="----------4F3D0D45A18DE123E5"
X-DLP-OUTBOUND: 137.118.40.128/25
X-MAG-OUTBOUND: greymail.redcondor.net@137.118.40.128/25
X-Modus-SPF-Results: spf=pass, details=homesc.com: Sender is authorized to use 'homesc.com' in 'mfrom' identity (mechanism
 'include:spf1.neonova.net' matched)

------------4F3D0D45A18DE123E5
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Dear Valuable Customer,

This letter is simply a cordial notice. We haven’t accredited the payment for the following monthly bill yet, plus it is three working days delayed. Don't forget to make the payment for the following bill followed below, as fast as possible. If you could have issues, i highly recommend you e-mail us to discuss the matter.
Statement attached to this email.

We would appreciate your immediate attention to this subject.

Most sincerely,
Justin Parrish
Sucent Loan Services
------------4F3D0D45A18DE123E5
Content-Type: application/octet-stream;
 name="efax_document675724_270.doc"
Content-transfer-encoding: base64
Content-Disposition: attachment;
 filename="efax_document675724_270.doc"
______________
Alternate Body

Dear Client,

This email is simply a cordial notification. We have not validated the compensation for this invoice still, in addition it's 4 days overdue. Be sure to make payment for the account invoice down the page, in a timely manner. In case you have got concerns, i highly recommend you contact us to talk about the concern.
Statement attached to this e-mail.

We'd truly value your prompt focus on this matter.

With gratitude,
Damari Quinn
Demimbu Credit Services
________________________________________

Subjects seen:
You have got message about your unpaid invoice
You have collected message about your unpaid invoice
You have got email about unpaid statement
You have received message about your unpaid invoice

Doc Template Run:
https://app.any.run/tasks/6d6bdf97-86f2-4880-8e83-6fa44e8dbc14

Doc hashes:
127f34cf8a2f322d30a3d7c651bf75ea3fb31d21b6665273fb75429c36d3bc39
50dbd9c8754a11a14cc1e94057d23ccbf504af390e2153371d0184cf16bbe772
3008746ebf3544ee583eee3e32ec39378d581347699ae02143dbd500cf7eadec
56fc206f8906fd463f0958760c546a15ee573870aeabc2898d9daf445a7510eb

Direct execution of payload:
https://app.any.run/tasks/e7e2cbdc-82cf-4ac6-a62a-26620e082e84

Binary Hashes:
f61bc27063dbca08901b133ae611e0752fcc3da28df46739fc7bc1661a72e075

C2:
https://gfthwards.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
https://gfthwards.eu/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
https://gfthwards.net/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
https://presifered.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001
https://coujtried.com/photo.png?id=0120AC7B8F28F965A80000000000FF40000001

Other malware found in open directory:
https://www.kbtseafood.com/wp-content/uploads/2019/07/

#Trickbot
https://www.kbtseafood.com/wp-content/uploads/2019/07/Print_Version.exe
https://www.kbtseafood.com/wp-content/uploads/2019/07/LEO2KLDCXZ.exe
https://www.kbtseafood.com/wp-content/uploads/2019/07/crypt.exe
https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12e.tiff
https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12ec.tiff
https://www.kbtseafood.com/wp-content/uploads/2019/07/eag12e.res