malware_traffic

Trickbot EXE files from ".png" URLs on Wednesday 2020-04-01

Apr 1st, 2020
1,446
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON WENDESDAY 2020-04-01
  2.  
  3. URLS:
  4.  
  5. - hxxp://23.95.238[.]106/images/cursor.png
  6. - hxxp://23.95.238[.]106/images/imgpaper.png
  7. - hxxp://23.95.238[.]106/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were first submitted to VirusTotal on Monday 2020-03-24 and still active 8 days later as of Wednesday 2020-04-01.
  12. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  13. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  14. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  15. - All of these URLs returned a Windows executable file (EXE).
  16. - Each of these Trickbot EXE has a different gtag.
  17. - These URLs may return files with different hashes every time they are retrieved.
  18.  
  19. FILE INFO:
  20.  
  21. - SHA256 hash: a3f16a9e5863fc65768682d585a03c9d057dff428f24e116cacf2ef54636c82a
  22. - File size: 547,328 bytes
  23. - File location: hxxp://23.95.238[.]106/images/cursor.png
  24. - File description: Windows executable file for Trickbot, gtag tot709
  25. - Analysis:
  26. -- https://urlhaus.abuse.ch/url/333590/
  27. -- https://app.any.run/tasks/0dc3f516-a378-4632-aeb5-54f307b63c2e
  28. -- https://capesandbox.com/analysis/22/
  29. -- https://www.hybrid-analysis.com/sample/a3f16a9e5863fc65768682d585a03c9d057dff428f24e116cacf2ef54636c82a
  30.  
  31. - SHA256 hash: bbb674213b05d7b69952172208cca0d5b9d97f0f8e848e22351c86b769333c20
  32. - File size: 547,328 bytes
  33. - File location: hxxp://23.95.238[.]106/images/imgpaper.png
  34. - File description: Windows executable file for Trickbot, gtag lib709
  35. - Analysis:
  36. -- https://urlhaus.abuse.ch/url/333589/
  37. -- https://app.any.run/tasks/156a70ba-4140-4b42-9297-7a0fce1696f2
  38. -- https://capesandbox.com/analysis/23/
  39. -- https://www.hybrid-analysis.com/sample/bbb674213b05d7b69952172208cca0d5b9d97f0f8e848e22351c86b769333c20
  40.  
  41. - SHA256 hash: 144a3aabc4052782d66f8b436e60d4f5eee513c74af3493b74771419579e9c75
  42. - File size: 525,312 bytes
  43. - File location: hxxp://23.95.238[.]106/images/redcar.png
  44. - File description: Windows executable file for Trickbot, gtag jim709
  45. - Analysis:
  46. -- https://urlhaus.abuse.ch/url/333588/
  47. -- https://app.any.run/tasks/969ed189-7460-4ebf-b632-236404b061a6
  48. -- https://capesandbox.com/analysis/24/
  49. -- https://www.hybrid-analysis.com/sample/144a3aabc4052782d66f8b436e60d4f5eee513c74af3493b74771419579e9c75
RAW Paste Data