malware_traffic

Trickbot EXE files from ".png" URLs on Wednesday 2020-03-04

Mar 4th, 2020
951
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON WEDNESDAY 2020-03-04
  2.  
  3. URLS:
  4.  
  5. - hxxp://198.23.130[.]69/images/cursor.png
  6. - hxxp://198.23.130[.]69/images/imgpaper.png
  7. - hxxp://198.23.130[.]69/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  12. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  13. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - These URLs may return files with different hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: e39468abf20701e4e146010eba9c2be958bb9a053cc7dfa661f627da656b0fb8
  21. - File size: 655,360 bytes
  22. - File location: hxxp://198.23.130[.]69/images/cursor.png
  23. - File description: Windows executable file for Trickbot, gtag tot689
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/321304/
  26. -- https://app.any.run/tasks/a1a37486-a2d2-4c6d-bc23-351b44cb169a
  27. -- https://capesandbox.com/analysis/13645/
  28. -- https://www.hybrid-analysis.com/sample/e39468abf20701e4e146010eba9c2be958bb9a053cc7dfa661f627da656b0fb8
  29.  
  30. - SHA256 hash: 5bfb2703f7370af12d9e85269103ede103f69c70a0b86c988e9e71592e9d2aa3
  31. - File size: 655,360 bytes
  32. - File location: hxxp://198.23.130[.]69/images/imgpaper.png
  33. - File description: Windows executable file for Trickbot, gtag lib689
  34. - Analysis:
  35. -- https://urlhaus.abuse.ch/url/321606/
  36. -- https://app.any.run/tasks/f54c10e8-8fde-486f-8c2a-0228c77f71b7
  37. -- https://capesandbox.com/analysis/13646/
  38. -- https://www.hybrid-analysis.com/sample/5bfb2703f7370af12d9e85269103ede103f69c70a0b86c988e9e71592e9d2aa3
  39.  
  40. - SHA256 hash: d632ed81ed111cfe68ddd71f51fe9d6d49c7035f2f275344f44928f8bf7f0bea
  41. - File size: 643,123 bytes
  42. - File location: hxxp://198.23.130[.]69/images/redcar.png
  43. - File description: Windows executable file for Trickbot, gtag jim689
  44. - Analysis:
  45. -- https://urlhaus.abuse.ch/url/321607/
  46. -- https://app.any.run/tasks/589704eb-ca0f-49e4-ba7a-e262cce310bc
  47. -- https://capesandbox.com/analysis/13647/
  48. -- https://www.hybrid-analysis.com/sample/d632ed81ed111cfe68ddd71f51fe9d6d49c7035f2f275344f44928f8bf7f0bea
RAW Paste Data