malware_traffic

Trickbot EXE files from ".png" URLs on Monday 2020-04-20

Apr 20th, 2020
2,462
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON MONDAY 2020-04-20
  2.  
  3. URLS:
  4.  
  5. - hxxp://107.172.221[.]106/images/cursor.png
  6. - hxxp://107.172.221[.]106/images/imgpaper.png
  7. - hxxp://107.172.221[.]106/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for cursor.png is normally caused by Trickbot's mshareDll module.
  12. - The http request for imgpaper.png is normally caused by Trickbot's tabDll module.
  13. - The http request for redcar.png is normally caused by Trickbot's mwormDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - These URLs appear to return files with different hashes every time they are retrieved.
  16. - The Trickbot gtag for redcar.png has advanced to "716" as the number at the end, while the gtag for cursor.png and imgpaper.png has stayed at "713". Note that redcar.png is a different type of PE32 executable (console instead of GUI).
  17.  
  18. $ file *.png
  19. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  20. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  21. redcar.png: PE32 executable (console) Intel 80386, for MS Windows
  22.  
  23. FILE INFO:
  24.  
  25. - SHA256 hash: 45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
  26. - File size: 637,440 bytes
  27. - File location: hxxp://107.172.221[.]106/images/cursor.png
  28. - File description: Windows executable file for Trickbot, gtag tot713
  29. - Analysis:
  30. -- https://urlhaus.abuse.ch/url/347026/
  31. -- https://app.any.run/tasks/b5409a9d-3c76-4c10-9dc3-b316e52b3155/
  32. -- https://capesandbox.com/analysis/1627/
  33. -- https://www.hybrid-analysis.com/sample/45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
  34.  
  35. - SHA256 hash: 05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
  36. - File size: 637,440 bytes
  37. - File location: hxxp://107.172.221[.]106/images/imgpaper.png
  38. - File description: Windows executable file for Trickbot, gtag lib713
  39. - Analysis:
  40. -- https://urlhaus.abuse.ch/url/347025/
  41. -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
  42. -- https://capesandbox.com/analysis/1626/
  43. -- https://www.hybrid-analysis.com/sample/05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
  44.  
  45. - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
  46. - File size: 359,424 bytes
  47. - File location: hxxp://107.172.221[.]106/images/redcar.png
  48. - File description: Windows executable file for Trickbot, gtag jim716
  49. - Analysis:
  50. -- https://urlhaus.abuse.ch/url/347024/
  51. -- https://app.any.run/tasks/c5e01025-4972-480b-a796-c7e24a6626bf/
  52. -- https://capesandbox.com/analysis/1628/
  53. -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
RAW Paste Data