2019-06-07 Trickbot

1. ATTACHMENT:
2. Server_Access_Validator_77276.html
3. 144a0b7098ba34579c9d250ee457b222
4. 7e21bac418ba6292dc74aef4b6d20f9970a1e2d2433943403dc6919699a22a9e
5.  
6. -HTML contains embedded .docm
7.  
8. PurchaseSummary.docm
9. b809f8cdd3b47daf44483efaf73b2a6b
10. e264f4f5aed488c2b34cfd1093d173c45092a7bd72d5e6f41c775364b01425cb
11.  
12. DOC RUNS MACROS TO CREATE JSCRIPT:
13. <random_file_name>
14. d2fdb991884569b31671c39f15324908
15. 069aaa2eee4821f0e650d18421b60efb3f1e8a42dfaf1cde920b5d0cab3ba29d
16.  
17. -jscript performs sandbox checks
18.  
19. JSCRIPT PULLS PAYLOAD FROM:
20. 185.159.82[.]237
21.  
22. PAYLOAD DELIVERED:
23. 7cefe28b26c1d28977eed8231ce67ffe
24. 7a1a960daa1cead0a4a6d16e999cb50f12b9693709fed692cfb80b0b86fdd672
25.  
26. BOTNET:
27. sat48
28.  
29. VERSION:
30. 1000433
31.  
32. C2s FROM CONFIG:
33. 103.117.232[.]198:449
34. 103.207.169[.]78:449
35. 103.74.89[.]24:449
36. 103.74.89[.]29:449
37. 103.74.89[.]43:449
38. 107.181.175[.]93:443
39. 117.242.39[.]160:449
40. 117.252.68[.]65:449
41. 146.196.122[.]152:449
42. 149.202.225[.]162:443
43. 164.132.138[.]136:443
44. 176.31.213[.]238:443
45. 177.103.240[.]149:449
46. 177.12.82[.]27:449
47. 177.183.194[.]194:449
48. 177.52.79[.]29:449
49. 180.250.197[.]188:449
50. 181.112.145[.]222:449
51. 181.115.168[.]69:449
52. 181.129.140[.]140:449
53. 181.129.49[.]98:449
54. 181.129.93[.]226:449
55. 181.196.61[.]110:449
56. 185.255.79[.]22:443
57. 186.138.152[.]228:449
58. 186.183.199[.]114:449
59. 186.42.186[.]202:449
60. 186.42.226[.]46:449
61. 187.58.56[.]26:449
62. 187.65.49[.]88:449
63. 189.80.134[.]122:449
64. 190.12.29[.]70:449
65. 190.13.160[.]19:449
66. 190.154.203[.]218:449
67. 191.37.181[.]152:449
68. 195.123.245[.]135:443
69. 200.35.56[.]81:449
70. 36.89.85[.]103:449
71. 45.250.66[.]10:449
72. 51.83.138[.]148:443
73. 80.87.197[.]224:443
74. 85.143.219[.]252:443
75. 89.223.94[.]15:443
76. 92.119.113[.]106:443
77. 92.63.99[.]106:443
78. 93.189.43[.]59:443