malware_traffic

Trickbot EXE files from ".png" URLs on Wednesday 2020-02-26

Feb 26th, 2020
1,693
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLS ON WEDNESDAY 2020-02-26
  2.  
  3. URLS:
  4.  
  5. - hxxp://192.3.124[.]40/images/cursor.png
  6. - hxxp://104.237.194[.]147/images/redcar.png
  7.  
  8. NOTES:
  9.  
  10. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  11. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  12. - Both of these URLs returned a Windows executable file (EXE).
  13. - Both of these Trickbot EXE files have a different gtag.
  14. - These URLs may return files with different hashes every time they are retrieved.
  15.  
  16. FILE INFO:
  17.  
  18. - SHA256 hash: d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
  19. - File size: 524,288 bytes
  20. - File location: hxxp://192.3.124[.]40/images/cursor.png
  21. - File description: Windows executable file for Trickbot, gtag tot682
  22. - Analysis:
  23. -- https://urlhaus.abuse.ch/url/319183/
  24. -- https://app.any.run/tasks/ad0fbb89-f3c1-4182-a452-c2bb5a784425
  25. -- https://capesandbox.com/analysis/13335/
  26. -- https://www.hybrid-analysis.com/sample/d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
  27.  
  28. - SHA256 hash: d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9
  29. - File size: 532,480 bytes
  30. - File location: hxxp://104.237.194[.]147/images/redcar.png
  31. - File description: Windows executable file for Trickbot, gtag jim682
  32. - Analysis:
  33. -- https://urlhaus.abuse.ch/url/319182/
  34. -- https://app.any.run/tasks/
  35. -- https://capesandbox.com/analysis/13336/
  36. -- https://www.hybrid-analysis.com/sample/d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9
RAW Paste Data