malware_traffic

2020-04-17: Trickbot gtag ono38 from password-protected XLS

Apr 17th, 2020
3,805
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2020-04-17 - MALSPAM WITH PASSWORD-PROTECTED XLS ATTACHMENTS PUSHES TRICKBOT GTAG ONO38
  2.  
  3. EXAMPLES OF THE ATTACHMENTS:
  4.  
  5. - 0c1feebda781b4bf6528427d43704d1bc2e7b39169f7811dc18505825a7f1ba1 DOC-1__1112.xls
  6. - 2a4e322125e34daf6eee61f5fd0f3a9c07421f058b046ee700f28d65a98c6140 DOC-1__971.xls
  7. - 2e6ca2c90fbce4efc0e2d0dc5988554e3c200bd4d5d381925a3b917eb62a197e DOC-1__312.xls
  8. - 488d0c32e2c96fbeb7801d08cefc555a07abbfc4f1b5e952a612b0c029ef2f11 DOC-1_179.xls
  9. - 54f8cf240f312c029540d0daff91a0b4959b90f2eb103f3f232ec71c18df4f3f AMD_02_1808.xls
  10. - 64f6f90d17a2b2f4c7a089c8d5175a6706a9a9c7ae1fe517d785d914f1b1fb3e AMD_02_1577.xls
  11. - 6596b48af0381a59ce8a2e6105427948e348337401dbcbf1de79494cb6eae80c DOC-1__794.xls
  12. - 6c17901a4f11e82de3244e2a0d61e3af01d605ec4160558d0cc06a4f7bf6fcfd AMD_02_1484.xls
  13. - a10814d7bc9babcb3410d4ab0908f027fc9c2a529be91ed1522ca073756a014f AMD_02_2467.xls
  14. - b939ebcfa526308b4952fcbd26dd40ba9131995d93ff6ea286fda68bbead8ddb DOC-1__189.xls
  15. - d630d699d68538a8153f5bc31aa333dc4a837a1b4aadead3979ca0cd88600b2b DOC-1__207.xls
  16. - dd7f014663098403cf5fbea89a22dfe2c13c52e73ef25eb066315bfdad065479 AMD_02_2624.xls
  17.  
  18. NOTE:
  19.  
  20. - For the above files, the password is: apr17
  21.  
  22. URL FOR TRICKBOT EXE (GTAG ONO38) AFTER ENABLING XLS MACROS:
  23.  
  24. - hxxps://mitsui-jyuku[.]mixh[.]jp/uploads/rooky.php
  25.  
  26. TRICKBOT EXE (GTAG ONO38):
  27.  
  28. - 1771251db0764c8bd2a203ffaca932b685236255c23cd60e11a0c7d246cb87cf
  29. - 19bb363f39d3cc5512494a601fc9a78d9336dd70695df4ad4178f3d4361ce79a
  30. - 2c9d552a7121900f366c09adcb6dccfb4967248bc19d8eb90d4c8fa128a883a8
  31. - dfc4890b72d1759141362ceb52859f9affd38182bbc2f32b6bd9b8ce2c93af48
  32. - eb1298b79b05b420cf831d2ad7270a714a9a74c6371a7fc9b26d940c7bdc4ea6
  33.  
  34. INFO FROM EMAIL EXAMPLE:
  35.  
  36. Received: from smtp.smtpout.orange.fr ([80.12.242.126]) by [removed] for [removed];
  37. Fri, 17 Apr 2020 11:40:17 -0700
  38. Received: from wwinf1u35 ([10.223.74.109])
  39. by mwinf5d08 with ME
  40. id TugB2200S2MUzoS03ugB7n; Fri, 17 Apr 2020 20:40:11 +0200
  41. Reply-To: "Mark Baker" <bea.quentin@orange.fr>
  42. From: "Mark Baker" <bea.quentin@orange.fr>
  43. To: [removed]
  44. Subject: Insurance 44452
  45. Date: Fri, 17 Apr 2020 14:40:11 -0400
  46. Message-ID: <297480736.20627.1587148811263.JavaMail.www@wwinf1u35>
  47. MIME-Version: 1.0
  48. Content-Type: multipart/mixed;
  49. boundary="----=_NextPart_000_0064_01D614D1.A86F11A0"
  50. X-Mailer: Microsoft Outlook 16.0
  51. Thread-Index: AQFi8OW5P4UzPtlW779XdZkCzmMSMQ==
  52.  
  53. This is a multipart message in MIME format.
  54.  
  55. ------=_NextPart_000_0064_01D614D1.A86F11A0
  56. Content-Type: multipart/alternative;
  57. boundary="----=_NextPart_001_0065_01D614D1.A86F11A0"
  58.  
  59.  
  60. ------=_NextPart_001_0065_01D614D1.A86F11A0
  61. Content-Type: text/plain;
  62. charset="UTF-8"
  63. Content-Transfer-Encoding: 7bit
  64.  
  65. See enclosed #44452/44452 valid certificate.
  66.  
  67.  
  68. Current password: apr17
  69.  
  70.  
  71.  
  72. ------=_NextPart_001_0065_01D614D1.A86F11A0
  73. Content-Type: text/html;
  74. boundary="----=_Part_20625_582389572.1587148811258";
  75. charset="UTF-8"
  76. Content-Transfer-Encoding: quoted-printable
  77.  
  78. <div class style=3D"font-family:garamond, new york, times, =
  79. serif;font-size:13px;"><div class=3D3D"" style=3D3D"line-height: 1.15;"> =
  80. <span style=3D"font-family:'Verdana' , =
  81. sans-serif;font-size:16px;font-weight:bold">See enclosed #44452/44452 =
  82. valid certificate.<br> <p>Current password: <b>apr17</b> </div>
  83. <br></div>
  84. ------=_NextPart_001_0065_01D614D1.A86F11A0--
  85.  
  86. ------=_NextPart_000_0064_01D614D1.A86F11A0
  87. Content-Type: application/octet-stream;
  88. name="AMD_02_2624.xls"
  89. Content-Transfer-Encoding: base64
  90. Content-Disposition: attachment;
  91. filename="AMD_02_2624.xls"
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×