2020-06-29 Trickbot IOCs

1. THREAT ATTRIBUTION: TRICKBOT
2.  
3. SUBJECTS OBSERVED
4. Products and solutions rates
5.  
6. SENDERS OBSERVED
7. Woodways <intake@ephomecare[.]com>
8.  
9. EMAIL BODY
10. Hello,
11.  
12. Earlier we've spoke, you asked me to return in touch in the end of july.
13. I could be a month early, but I figured it’d be seriously worth checking-in.
14.  
15. I've enclosed a price list as well as info pages which describe the total series of our products and services for your personal reference.
16. I anticipate receiving a reply from your side} {soon.
17.  
18. Kind Regards,
19.  
20. Adam Rivera
21. Woodways
22.  
23. MALDOC FILE HASHES
24. UOD_1490.xls
25. b9343a92b6b5b82a4b70ecf6e0206740
26.  
27. TRICKBOT PAYLOAD FILE HASHES
28. okYsjao[.]exe
29. 4fdc6df3b378c716ff25423991b25a78
30.  
31. SECONDARY PAYLOAD FILE HASHES
32. cursor[.]png
33. 76aebf3de7d58ecda30f49010ac9358a
34.  
35. imgpaper[.]png
36. 51dd0b7ba2dd137e4ec0a7bfdc23c158
37.  
38. TRICKBOT PAYLOAD URLS
39. hxxps://feedingyourhealth[.]com/oprawilson/opwasaythatthisverygoodinfo[.]php
40.  
41. This is an open directory with dozens of Trickbot executables:
42. hxxps://feedingyourhealth[.]com/oprawilson/
43.  
44. SECONDARY PAYLOAD URLS
45. hxxp://23[.]95[.]231[.]200/images/imgpaper[.]png
46. hxxp://23[.]95[.]231[.]200/images/cursor[.]png
47.  
48. TRICKBOT C2
49. hxxp://170[.]238[.]117[.]187:8082/ono51
50. hxxp://203[.]176[.]135[.]102:8082/ono51
51.  
52. SUPPORTING EVIDENCE
53. https://twitter.com/malware_traffic/status/1277619624243314688
54. https://app.any.run/tasks/7dafa6d5-fc86-4872-a6c5-05e99afedd5e/
55. https://urlhaus.abuse.ch/url/400727/
56.  
57. https://urlhaus.abuse.ch/browse.php?search=feedingyourhealth.com%2Foprawilson%2F