malware_traffic

Trickbot EXE files from ".png" URLs on Wednesday 2020-02-19

Feb 19th, 2020
1,687
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT EXE FILES FROM .PNG URLs ON WEDNESDAY 2020-02-19
  2.  
  3. URLS:
  4.  
  5. - hxxp://192.3.124[.]40/images/flygame.png
  6. - hxxp://192.3.124[.]40/images/lastimg.png
  7. - hxxp://192.3.124[.]40/images/mini.png
  8.  
  9. NOTES:
  10.  
  11. - The http request for flygame.png is caused by Trickbot's mwormDll module.
  12. - The http request for lastimg.png is caused by Trickbot's tabDll module.
  13. - The http request for mini.png is caused by Trickbot's mshareDll module.
  14. - All of these URLs returned a Windows executable file (EXE).
  15. - Each of these Trickbot EXE has a different gtag.
  16. - These URLs may return files with different hashes every time they are retrieved.
  17.  
  18. FILE INFO:
  19.  
  20. - SHA256 hash: ce1c4a26527727cd309e0e656ab0afb4c1393cc8855e82d5af7f0c5a33e9727f
  21. - File size: 995,904 bytes
  22. - File location: hxxp://192.3.124[.]40/images/flygame.png
  23. - File description: Windows executable file for Trickbot, gtag jim677
  24. - Analysis:
  25. -- https://urlhaus.abuse.ch/url/316356/
  26. -- https://app.any.run/tasks/61d64951-50dd-48f2-acac-6f71957e81e3
  27. -- https://capesandbox.com/analysis/12996/
  28. -- https://www.hybrid-analysis.com/sample/ce1c4a26527727cd309e0e656ab0afb4c1393cc8855e82d5af7f0c5a33e9727f
  29.  
  30. - SHA256 hash: 7ddb90fd18c9b65f355e20f72fb263dcc07b7f4e51a518607b65876cdccc40ba
  31. - File size: 990,272 bytes
  32. - File location: hxxp://192.3.124[.]40/images/lastimg.png
  33. - File description: Windows executable file for Trickbot, gtag lib677
  34. - Analysis:
  35. -- https://urlhaus.abuse.ch/url/316357/
  36. -- https://app.any.run/tasks/9b7123d8-45dd-484f-a924-e400f222bfc7
  37. -- https://capesandbox.com/analysis/12997/
  38. -- https://www.hybrid-analysis.com/sample/7ddb90fd18c9b65f355e20f72fb263dcc07b7f4e51a518607b65876cdccc40ba
  39.  
  40. - SHA256 hash: 42550767cdc440db0a5037c1a0c80da955837d03258ed2b10f4ca17d2c3f7941
  41. - File size: 990,272 bytes
  42. - File location: hxxp://192.3.124[.]40/images/mini.png
  43. - File description: Windows executable file for Trickbot, gtag tot677
  44. - Analysis:
  45. -- https://urlhaus.abuse.ch/url/316358/
  46. -- https://app.any.run/tasks/e2114a94-37fb-46ea-8cd3-ec897ec5ab90
  47. -- https://capesandbox.com/analysis/12998/
  48. -- https://www.hybrid-analysis.com/sample/42550767cdc440db0a5037c1a0c80da955837d03258ed2b10f4ca17d2c3f7941
RAW Paste Data