malware_traffic

Trickbot EXE files from ".png" URLs on Wednesday 2020-04-01

Apr 1st, 2020
2,329
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON WENDESDAY 2020-04-01
  2.  
  3. URLS:
  4.  
  5. - hxxp://23.95.238[.]106/images/cursor.png
  6. - hxxp://23.95.238[.]106/images/imgpaper.png
  7. - hxxp://23.95.238[.]106/images/redcar.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were first submitted to VirusTotal on Monday 2020-03-24 and still active 8 days later as of Wednesday 2020-04-01.
  12. - The http request for cursor.png is caused by Trickbot's mshareDll module.
  13. - The http request for imgpaper.png is caused by Trickbot's tabDll module.
  14. - The http request for redcar.png is caused by Trickbot's mwormDll module.
  15. - All of these URLs returned a Windows executable file (EXE).
  16. - Each of these Trickbot EXE has a different gtag.
  17. - These URLs may return files with different hashes every time they are retrieved.
  18.  
  19. FILE INFO:
  20.  
  21. - SHA256 hash: a3f16a9e5863fc65768682d585a03c9d057dff428f24e116cacf2ef54636c82a
  22. - File size: 547,328 bytes
  23. - File location: hxxp://23.95.238[.]106/images/cursor.png
  24. - File description: Windows executable file for Trickbot, gtag tot709
  25. - Analysis:
  26. -- https://urlhaus.abuse.ch/url/333590/
  27. -- https://app.any.run/tasks/0dc3f516-a378-4632-aeb5-54f307b63c2e
  28. -- https://capesandbox.com/analysis/22/
  29. -- https://www.hybrid-analysis.com/sample/a3f16a9e5863fc65768682d585a03c9d057dff428f24e116cacf2ef54636c82a
  30.  
  31. - SHA256 hash: bbb674213b05d7b69952172208cca0d5b9d97f0f8e848e22351c86b769333c20
  32. - File size: 547,328 bytes
  33. - File location: hxxp://23.95.238[.]106/images/imgpaper.png
  34. - File description: Windows executable file for Trickbot, gtag lib709
  35. - Analysis:
  36. -- https://urlhaus.abuse.ch/url/333589/
  37. -- https://app.any.run/tasks/156a70ba-4140-4b42-9297-7a0fce1696f2
  38. -- https://capesandbox.com/analysis/23/
  39. -- https://www.hybrid-analysis.com/sample/bbb674213b05d7b69952172208cca0d5b9d97f0f8e848e22351c86b769333c20
  40.  
  41. - SHA256 hash: 144a3aabc4052782d66f8b436e60d4f5eee513c74af3493b74771419579e9c75
  42. - File size: 525,312 bytes
  43. - File location: hxxp://23.95.238[.]106/images/redcar.png
  44. - File description: Windows executable file for Trickbot, gtag jim709
  45. - Analysis:
  46. -- https://urlhaus.abuse.ch/url/333588/
  47. -- https://app.any.run/tasks/969ed189-7460-4ebf-b632-236404b061a6
  48. -- https://capesandbox.com/analysis/24/
  49. -- https://www.hybrid-analysis.com/sample/144a3aabc4052782d66f8b436e60d4f5eee513c74af3493b74771419579e9c75
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×