Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- TRICKBOT EXE FILES FROM .PNG URLS ON WEDNESDAY 2020-02-26
- URLS:
- - hxxp://192.3.124[.]40/images/cursor.png
- - hxxp://104.237.194[.]147/images/redcar.png
- NOTES:
- - The http request for cursor.png is caused by Trickbot's mshareDll module.
- - The http request for redcar.png is caused by Trickbot's mwormDll module.
- - Both of these URLs returned a Windows executable file (EXE).
- - Both of these Trickbot EXE files have a different gtag.
- - These URLs may return files with different hashes every time they are retrieved.
- FILE INFO:
- - SHA256 hash: d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
- - File size: 524,288 bytes
- - File location: hxxp://192.3.124[.]40/images/cursor.png
- - File description: Windows executable file for Trickbot, gtag tot682
- - Analysis:
- -- https://urlhaus.abuse.ch/url/319183/
- -- https://app.any.run/tasks/ad0fbb89-f3c1-4182-a452-c2bb5a784425
- -- https://capesandbox.com/analysis/13335/
- -- https://www.hybrid-analysis.com/sample/d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
- - SHA256 hash: d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9
- - File size: 532,480 bytes
- - File location: hxxp://104.237.194[.]147/images/redcar.png
- - File description: Windows executable file for Trickbot, gtag jim682
- - Analysis:
- -- https://urlhaus.abuse.ch/url/319182/
- -- https://app.any.run/tasks/
- -- https://capesandbox.com/analysis/13336/
- -- https://www.hybrid-analysis.com/sample/d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9
RAW Paste Data