malware_traffic

Trickbot EXE files from ".png" URLs on Friday 2020-04-10

Apr 10th, 2020
752
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON FRIDAY 2020-04-10
  2.  
  3. URLS:
  4.  
  5. - hxxp://64.44.133[.]154/images/cursor.png
  6. - hxxp://64.44.133[.]154/images/imgpaper.png
  7. - hxxp://64.44.133[.]154/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - At least one of these URLs was submitted to VirusTotal as early as Wednesday 2020-04-08.
  12. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  13. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  14. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  15. - All of these URLs returned a Windows executable file (EXE).
  16. - Each of these Trickbot EXE has a different gtag.
  17. - These URLs may return files with different hashes every time they are retrieved.
  18.  
  19. FILE INFO:
  20.  
  21. - SHA256 hash: 5dc263d7f0ecb3a74e3d60fde5937b82c6538872b107dc86aab3a7a17d257f12
  22. - File size: 637,440 bytes
  23. - File location: hxxp://64.44.133[.]154/images/cursor.png
  24. - File description: Windows executable file for Trickbot, gtag tot713
  25. - Analysis:
  26. -- https://urlhaus.abuse.ch/url/338121/
  27. -- https://app.any.run/tasks/97865e8b-8d76-4490-9c88-bedf110f74a5/
  28. -- https://capesandbox.com/analysis/893/
  29. -- https://www.hybrid-analysis.com/sample/5dc263d7f0ecb3a74e3d60fde5937b82c6538872b107dc86aab3a7a17d257f12
  30.  
  31. - SHA256 hash: 4b2ce158a065f0bf1dbb821266e4a656458623598166680934223f9346c91d11
  32. - File size: 637,440 bytes
  33. - File location: hxxp://64.44.133[.]154/images/imgpaper.png
  34. - File description: Windows executable file for Trickbot, gtag lib713
  35. - Analysis:
  36. -- https://urlhaus.abuse.ch/url/338122/
  37. -- https://app.any.run/tasks/1a3a29e-6c9d-42cc-bb22-f7cb31eff0f5/
  38. -- https://capesandbox.com/analysis/894/
  39. -- https://www.hybrid-analysis.com/sample/4b2ce158a065f0bf1dbb821266e4a656458623598166680934223f9346c91d11
  40.  
  41. - SHA256 hash: 2c04e6d8af5e083476086ce90d310f0ad8e13a30a9678392e912798f9a53c6fb
  42. - File size: 638,976 bytes
  43. - File location: hxxp://64.44.133[.]154/images/redcar.png
  44. - File description: Windows executable file for Trickbot, gtag jim713
  45. - Analysis:
  46. -- https://urlhaus.abuse.ch/url/338123/
  47. -- https://app.any.run/tasks/97ee36e5-ff5b-4e53-b6de-a1c9673e3f67/
  48. -- https://capesandbox.com/analysis/895/
  49. -- https://www.hybrid-analysis.com/sample/2c04e6d8af5e083476086ce90d310f0ad8e13a30a9678392e912798f9a53c6fb
RAW Paste Data