Trickbot EXE files from ".png" URLs on Wednesday 2020-02-26

1. TRICKBOT EXE FILES FROM .PNG URLS ON WEDNESDAY 2020-02-26
2.  
3. URLS:
4.  
5. - hxxp://192.3.124[.]40/images/cursor.png
6. - hxxp://104.237.194[.]147/images/redcar.png
7.  
8. NOTES:
9.  
10. - The http request for cursor.png is caused by Trickbot's mshareDll module.
11. - The http request for redcar.png is caused by Trickbot's mwormDll module.
12. - Both of these URLs returned a Windows executable file (EXE).
13. - Both of these Trickbot EXE files have a different gtag.
14. - These URLs may return files with different hashes every time they are retrieved.
15.  
16. FILE INFO:
17.  
18. - SHA256 hash: d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
19. - File size: 524,288 bytes
20. - File location: hxxp://192.3.124[.]40/images/cursor.png
21. - File description: Windows executable file for Trickbot, gtag tot682
22. - Analysis:
23. -- https://urlhaus.abuse.ch/url/319183/
24. -- https://app.any.run/tasks/ad0fbb89-f3c1-4182-a452-c2bb5a784425
25. -- https://capesandbox.com/analysis/13335/
26. -- https://www.hybrid-analysis.com/sample/d770d8764fc2445bf496c5df9d07b9239802ba5ac105a079f2f4d141123c218b
27.  
28. - SHA256 hash: d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9
29. - File size: 532,480 bytes
30. - File location: hxxp://104.237.194[.]147/images/redcar.png
31. - File description: Windows executable file for Trickbot, gtag jim682
32. - Analysis:
33. -- https://urlhaus.abuse.ch/url/319182/
34. -- https://app.any.run/tasks/
35. -- https://capesandbox.com/analysis/13336/
36. -- https://www.hybrid-analysis.com/sample/d370c3bd6863a821dc2a1229eea7241450c5994639c87e7c48562dae1b62fab9