malware_traffic

Trickbot EXE from .png URLs - Friday 2019-12-06

Dec 6th, 2019
1,147
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FROM .PNG URLS AS OF FRIDAY 2019-12-06
  2.  
  3. URLS:
  4.  
  5. - hxxp://107.172.208[.]25/images/flygame.png
  6. - hxxp://107.172.208[.]25/images/lastimg.png
  7. - hxxp://107.172.208[.]25/images/mini.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for flygame.png is caused by Trickbot's mwormDll module.
  12. - The http request for lastimg.png is caused by Trickbot's tabDll module.
  13. - The http request for mini.png is caused by Trickbot's mshareDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - I think these are different file hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: 1c8ba04b3707188dde5c8757c3a0429c2800884f076595220bcaa4df78df4d12
  21. - File size: 483,328 bytes
  22. - File location: hxxp://107.172.208[.]25/images/flygame.png
  23. - File description: Windows executable file for Trickbot
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/264580/
  26. -- https://app.any.run/tasks/d33b4589-ce8d-45dd-be33-a2666f2c1962
  27. -- https://cape.contextis.com/analysis/117022/
  28. -- https://hybrid-analysis.com/sample/1c8ba04b3707188dde5c8757c3a0429c2800884f076595220bcaa4df78df4d12
  29.  
  30. - SHA256 hash: f0542bfb8ab680e87f618eacd723ee750dcc6413e1c5d43221417e90d747376e
  31. - File size: 483,328 bytes
  32. - File location: hxxp://107.172.208[.]25/images/lastimg.png
  33. - File description: Windows executable file for Trickbot
  34. - Analysis:
  35. -- https://urlhaus.abuse.ch/url/264581/
  36. -- https://app.any.run/tasks/a404c762-4bc6-4b68-9535-e5a44d57fd65
  37. -- https://cape.contextis.com/analysis/117023/
  38. -- https://hybrid-analysis.com/sample/f0542bfb8ab680e87f618eacd723ee750dcc6413e1c5d43221417e90d747376e
  39.  
  40. - SHA256 hash: 9f6aa474d89fa6a0c8e43c7aacea365559d7894c5aef66042837166b5d218b52
  41. - File size: 483,328 bytes
  42. - File location: hxxp://107.172.208[.]25/images/mini.png
  43. - File description: Windows executable file for Trickbot
  44. - Analysis:
  45. -- https://urlhaus.abuse.ch/url/264582/
  46. -- https://app.any.run/tasks/f0c1f91f-5d96-4533-9cf8-60fd4d277df6
  47. -- https://cape.contextis.com/analysis/117024/
  48. -- https://hybrid-analysis.com/sample/9f6aa474d89fa6a0c8e43c7aacea365559d7894c5aef66042837166b5d218b52
RAW Paste Data