API tools faq
paste
Advertisement
malware_traffic

Trickbot EXE files from ".png" URLs on Monday 2020-04-20

malware_traffic
Apr 20th, 2020
12,022
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.60 KB | None | 0 0
raw download clone embed print report
  1. TRICKBOT EXE FILES FROM .PNG URLs ON MONDAY 2020-04-20
  2.  
  3. URLS:
  4.  
  5. - hxxp://107.172.221[.]106/images/cursor.png
  6. - hxxp://107.172.221[.]106/images/imgpaper.png
  7. - hxxp://107.172.221[.]106/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for cursor.png is normally caused by Trickbot's mshareDll module.
  12. - The http request for imgpaper.png is normally caused by Trickbot's tabDll module.
  13. - The http request for redcar.png is normally caused by Trickbot's mwormDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - These URLs appear to return files with different hashes every time they are retrieved.
  16. - The Trickbot gtag for redcar.png has advanced to "716" as the number at the end, while the gtag for cursor.png and imgpaper.png has stayed at "713". Note that redcar.png is a different type of PE32 executable (console instead of GUI).
  17.  
  18. $ file *.png
  19. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  20. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  21. redcar.png: PE32 executable (console) Intel 80386, for MS Windows
  22.  
  23. FILE INFO:
  24.  
  25. - SHA256 hash: 45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
  26. - File size: 637,440 bytes
  27. - File location: hxxp://107.172.221[.]106/images/cursor.png
  28. - File description: Windows executable file for Trickbot, gtag tot713
  29. - Analysis:
  30. -- https://urlhaus.abuse.ch/url/347026/
  31. -- https://app.any.run/tasks/b5409a9d-3c76-4c10-9dc3-b316e52b3155/
  32. -- https://capesandbox.com/analysis/1627/
  33. -- https://www.hybrid-analysis.com/sample/45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
  34.  
  35. - SHA256 hash: 05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
  36. - File size: 637,440 bytes
  37. - File location: hxxp://107.172.221[.]106/images/imgpaper.png
  38. - File description: Windows executable file for Trickbot, gtag lib713
  39. - Analysis:
  40. -- https://urlhaus.abuse.ch/url/347025/
  41. -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
  42. -- https://capesandbox.com/analysis/1626/
  43. -- https://www.hybrid-analysis.com/sample/05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
  44.  
  45. - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
  46. - File size: 359,424 bytes
  47. - File location: hxxp://107.172.221[.]106/images/redcar.png
  48. - File description: Windows executable file for Trickbot, gtag jim716
  49. - Analysis:
  50. -- https://urlhaus.abuse.ch/url/347024/
  51. -- https://app.any.run/tasks/c5e01025-4972-480b-a796-c7e24a6626bf/
  52. -- https://capesandbox.com/analysis/1628/
  53. -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!