malware_traffic

Trickbot propagation URLs on Friday 2020-06-19

Jun 19th, 2020
1,485
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. TRICKBOT PROPAGATION URLS ON FRIDAY 2020-06-19
  2.  
  3. URLS:
  4.  
  5. - hxxp://162.216.0[.]166/ico/VidT6cErs
  6. - hxxp://162.216.0[.]166/images/cursor.png
  7. - hxxp://162.216.0[.]166/images/imgpaper.png
  8.  
  9. NOTES:
  10.  
  11. - These URLs were noted as early as Wednesday 2020-06-16.
  12. - Theese URLs appear to be return a different file hash each time they are queried.
  13.  
  14. - The HTTP request for VidT6cErs is caused by Trickbot's nwormDll module (jim-series gtag).
  15. - The HTTP request for cursor.png is caused by Trickbot's mshareDll module (tot-series gtag).
  16. - The HTTP request for imgpaper.png is caused by Trickbot's tabDll module (lib-series gtag).
  17.  
  18. More info on the new "nworm" module used by Trickbot:
  19.  
  20. - https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
  21.  
  22. $ file *.png
  23. VidT6cErs: data
  24. cursor.png: PE32 executable (GUI) Intel 80386, for MS Windows
  25. imgpaper.png: PE32 executable (GUI) Intel 80386, for MS Windows
  26.  
  27. FILE INFO:
  28.  
  29. - SHA256 hash: 1ec9bdc03f0f642dc27730fe1be83dc9960c133bd3aadc163fcdc65d3b7740ca
  30. - File size: 105,555 bytes
  31. - File location: hxxp://162.216.0[.]166/ico/VidT6cErs
  32. - File description: encoded binary (not an executable) associated with nwormDll for Trickbot, gtag jim750
  33. - Analysis:
  34. -- https://urlhaus.abuse.ch/url/399496/
  35. -- https://app.any.run/tasks/2b0a7593-9ec5-474e-9197-cccb73b14825
  36. -- https://capesandbox.com/analysis/9817/
  37. -- https://www.hybrid-analysis.com/sample/1ec9bdc03f0f642dc27730fe1be83dc9960c133bd3aadc163fcdc65d3b7740ca
  38.  
  39. - SHA256 hash: 605a4c603284686d5d31831b7d9b34cd7cd639332c10c97d55dff2f7835ac2a0
  40. - File size: 593,920 bytes
  41. - File location: hxxp://162.216.0[.]166/images/cursor.png
  42. - File description: Windows executable file associated with mshareDll for Trickbot, gtag tot750
  43. - Analysis:
  44. -- https://urlhaus.abuse.ch/url/399494/
  45. -- https://app.any.run/tasks/6f6e9807-2a9f-4632-a23a-e74551072d2c
  46. -- https://capesandbox.com/analysis/9808/
  47. -- https://www.hybrid-analysis.com/sample/605a4c603284686d5d31831b7d9b34cd7cd639332c10c97d55dff2f7835ac2a0
  48.  
  49. - SHA256 hash: 05f9b81e3cfa7c83a4ddecd9978e4136f64a396622355497885e2209a4c28065
  50. - File size: 593,920 bytes
  51. - File location: hxxp://162.216.0[.]166/images/imgpaper.png
  52. - File description: Windows executable file associated with tabDll for Trickbot, gtag lib750
  53. - Analysis:
  54. -- https://urlhaus.abuse.ch/url/399495/
  55. -- https://app.any.run/tasks/b8900487-3fcf-454e-b8bb-82667f849ce0
  56. -- https://capesandbox.com/analysis/9815/
  57. -- https://www.hybrid-analysis.com/sample/05f9b81e3cfa7c83a4ddecd9978e4136f64a396622355497885e2209a4c28065
RAW Paste Data