Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- TRICKBOT EXE FILES FROM .PNG URLs ON MONDAY 2020-04-20
- URLS:
- - hxxp://107.172.221[.]106/images/cursor.png
- - hxxp://107.172.221[.]106/images/imgpaper.png
- - hxxp://107.172.221[.]106/images/redcar.png
- NOTES:
- - The http request for cursor.png is normally caused by Trickbot's mshareDll module.
- - The http request for imgpaper.png is normally caused by Trickbot's tabDll module.
- - The http request for redcar.png is normally caused by Trickbot's mwormDll module.
- - All of these URLs returned a Windows executable file (EXE).
- - These URLs appear to return files with different hashes every time they are retrieved.
- - The Trickbot gtag for redcar.png has advanced to "716" as the number at the end, while the gtag for cursor.png and imgpaper.png has stayed at "713". Note that redcar.png is a different type of PE32 executable (console instead of GUI).
- $ file *.png
- cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
- imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
- redcar.png: PE32 executable (console) Intel 80386, for MS Windows
- FILE INFO:
- - SHA256 hash: 45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
- - File size: 637,440 bytes
- - File location: hxxp://107.172.221[.]106/images/cursor.png
- - File description: Windows executable file for Trickbot, gtag tot713
- - Analysis:
- -- https://urlhaus.abuse.ch/url/347026/
- -- https://app.any.run/tasks/b5409a9d-3c76-4c10-9dc3-b316e52b3155/
- -- https://capesandbox.com/analysis/1627/
- -- https://www.hybrid-analysis.com/sample/45faf72e8f4f7aec4224b1b41773f8807c529d5d3da25c5bd83dd0e050bc7a96
- - SHA256 hash: 05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
- - File size: 637,440 bytes
- - File location: hxxp://107.172.221[.]106/images/imgpaper.png
- - File description: Windows executable file for Trickbot, gtag lib713
- - Analysis:
- -- https://urlhaus.abuse.ch/url/347025/
- -- https://app.any.run/tasks/ed45d774-f541-494f-83b7-b991c79e0867/
- -- https://capesandbox.com/analysis/1626/
- -- https://www.hybrid-analysis.com/sample/05d18f286ab9fe4c18eeebd2fca461e3b259bf5c5b44ab1b37304dfba67fc819
- - SHA256 hash: 008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
- - File size: 359,424 bytes
- - File location: hxxp://107.172.221[.]106/images/redcar.png
- - File description: Windows executable file for Trickbot, gtag jim716
- - Analysis:
- -- https://urlhaus.abuse.ch/url/347024/
- -- https://app.any.run/tasks/c5e01025-4972-480b-a796-c7e24a6626bf/
- -- https://capesandbox.com/analysis/1628/
- -- https://www.hybrid-analysis.com/sample/008d6dac88a54cacf184b46ccc6777abe88002802914f11139b575457579f67e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement